Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 1792033 Details for
Bug 1955183
Add ANSSI-BP-028 High level profile
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh92 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
Final scan from manual installation - Server with GUI installation
final_gui_report.html (text/html), 2.04 MB, created by
Milan Lysonek
on 2021-06-18 11:26:44 UTC
(
hide
)
Description:
Final scan from manual installation - Server with GUI installation
Filename:
MIME Type:
Creator:
Milan Lysonek
Created:
2021-06-18 11:26:44 UTC
Size:
2.04 MB
patch
obsolete
><!DOCTYPE html><html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_anssi_bp28_high | OpenSCAP Evaluation Report</title><style> >/*! > * Bootstrap v3.3.7 (http://getbootstrap.com) > * Copyright 2011-2016 Twitter, Inc. > * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) > */ > >/*! > * Generated using the Bootstrap Customizer (https://getbootstrap.com/customize/?id=8160adef040364fa8f688f6065765caf) > * Config saved to config.json and https://gist.github.com/8160adef040364fa8f688f6065765caf > *//*! > * Bootstrap v3.3.7 (http://getbootstrap.com) > * Copyright 2011-2016 Twitter, Inc. > * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) > *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}h1{font-size:2em;margin:0.67em 0}mark{background:#ff0;color:#000}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sup{top:-0.5em}sub{bottom:-0.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;height:0}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace, monospace;font-size:1em}button,input,optgroup,select,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button,select{text-transform:none}button,html input[type="button"],input[type="reset"],input[type="submit"]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0}input{line-height:normal}input[type="checkbox"],input[type="radio"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type="number"]::-webkit-inner-spin-button,input[type="number"]::-webkit-outer-spin-button{height:auto}input[type="search"]{-webkit-appearance:textfield;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}input[type="search"]::-webkit-search-cancel-button,input[type="search"]::-webkit-search-decoration{-webkit-appearance:none}fieldset{border:1px solid #c0c0c0;margin:0 2px;padding:0.35em 0.625em 0.75em}legend{border:0;padding:0}textarea{overflow:auto}optgroup{font-weight:bold}table{border-collapse:collapse;border-spacing:0}td,th{padding:0}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@media print{*,*:before,*:after{background:transparent !important;color:#000 !important;-webkit-box-shadow:none !important;box-shadow:none !important;text-shadow:none !important}a,a:visited{text-decoration:underline}a[href^="#"]:after,a[href^="javascript:"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100% !important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}.navbar{display:none}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000 !important}.label{border:1px solid #000}.table{border-collapse:collapse !important}.table td,.table th{background-color:#fff !important}.table-bordered th,.table-bordered td{border:1px solid #ddd !important}}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}*:before,*:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive{display:block;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out;display:inline-block;max-width:100%;height:auto}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;margin:-1px;padding:0;overflow:hidden;clip:rect(0, 0, 0, 0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}[role="button"]{cursor:pointer}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:normal;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}mark,.mark{background-color:#fcf8e3;padding:.2em}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover,a.text-primary:focus{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover,a.text-success:focus{color:#2b542c}.text-info{color:#31708f}a.text-info:hover,a.text-info:focus{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover,a.text-warning:focus{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover,a.text-danger:focus{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover,a.bg-primary:focus{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover,a.bg-success:focus{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover,a.bg-info:focus{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover,a.bg-warning:focus{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover,a.bg-danger:focus{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;list-style:none;margin-left:-5px}.list-inline>li{display:inline-block;padding-left:5px;padding-right:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:bold}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;clear:left;text-align:right;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;border-right:5px solid #eee;border-left:0;text-align:right}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.25)}kbd kbd{padding:0;font-size:100%;font-weight:bold;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;word-break:break-all;word-wrap:break-word;color:#333;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{margin-right:auto;margin-left:auto;padding-left:15px;padding-right:15px}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{margin-right:auto;margin-left:auto;padding-left:15px;padding-right:15px}.row{margin-left:-15px;margin-right:-15px}.col-xs-1, .col-sm-1, .col-md-1, .col-lg-1, .col-xs-2, .col-sm-2, .col-md-2, .col-lg-2, .col-xs-3, .col-sm-3, .col-md-3, .col-lg-3, .col-xs-4, .col-sm-4, .col-md-4, .col-lg-4, .col-xs-5, .col-sm-5, .col-md-5, .col-lg-5, .col-xs-6, .col-sm-6, .col-md-6, .col-lg-6, .col-xs-7, .col-sm-7, .col-md-7, .col-lg-7, .col-xs-8, .col-sm-8, .col-md-8, .col-lg-8, .col-xs-9, .col-sm-9, .col-md-9, .col-lg-9, .col-xs-10, .col-sm-10, .col-md-10, .col-lg-10, .col-xs-11, .col-sm-11, .col-md-11, .col-lg-11, .col-xs-12, .col-sm-12, .col-md-12, .col-lg-12{position:relative;min-height:1px;padding-left:15px;padding-right:15px}.col-xs-1, .col-xs-2, .col-xs-3, .col-xs-4, .col-xs-5, .col-xs-6, .col-xs-7, .col-xs-8, .col-xs-9, .col-xs-10, .col-xs-11, .col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6, .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1, .col-lg-2, .col-lg-3, .col-lg-4, .col-lg-5, .col-lg-6, .col-lg-7, .col-lg-8, .col-lg-9, .col-lg-10, .col-lg-11, .col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}caption{padding-top:8px;padding-bottom:8px;color:#777;text-align:left}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table .table{background-color:#fff}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-of-type(odd){background-color:#f9f9f9}.table-hover>tbody>tr:hover{background-color:#f5f5f5}table col[class*="col-"]{position:static;float:none;display:table-column}table td[class*="col-"],table th[class*="col-"]{position:static;float:none;display:table-cell}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}.table-responsive{overflow-x:auto;min-height:0.01%}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-y:hidden;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{padding:0;margin:0;border:0;min-width:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:bold}input[type="search"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type="radio"],input[type="checkbox"]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type="file"]{display:block}input[type="range"]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type="file"]:focus,input[type="radio"]:focus,input[type="checkbox"]:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-webkit-transition:border-color ease-in-out .15s, -webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s, box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s, box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control::-ms-expand{border:0;background-color:transparent}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{background-color:#eee;opacity:1}.form-control[disabled],fieldset[disabled] .form-control{cursor:not-allowed}textarea.form-control{height:auto}input[type="search"]{-webkit-appearance:none}@media screen and (-webkit-min-device-pixel-ratio:0){input[type="date"].form-control,input[type="time"].form-control,input[type="datetime-local"].form-control,input[type="month"].form-control{line-height:34px}input[type="date"].input-sm,input[type="time"].input-sm,input[type="datetime-local"].input-sm,input[type="month"].input-sm,.input-group-sm input[type="date"],.input-group-sm input[type="time"],.input-group-sm input[type="datetime-local"],.input-group-sm input[type="month"]{line-height:30px}input[type="date"].input-lg,input[type="time"].input-lg,input[type="datetime-local"].input-lg,input[type="month"].input-lg,.input-group-lg input[type="date"],.input-group-lg input[type="time"],.input-group-lg input[type="datetime-local"],.input-group-lg input[type="month"]{line-height:46px}}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{min-height:20px;padding-left:20px;margin-bottom:0;font-weight:normal;cursor:pointer}.radio input[type="radio"],.radio-inline input[type="radio"],.checkbox input[type="checkbox"],.checkbox-inline input[type="checkbox"]{position:absolute;margin-left:-20px;margin-top:4px \9}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{position:relative;display:inline-block;padding-left:20px;margin-bottom:0;vertical-align:middle;font-weight:normal;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type="radio"][disabled],input[type="checkbox"][disabled],input[type="radio"].disabled,input[type="checkbox"].disabled,fieldset[disabled] input[type="radio"],fieldset[disabled] input[type="checkbox"]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0;min-height:34px}.form-control-static.input-lg,.form-control-static.input-sm{padding-left:0;padding-right:0}.input-sm{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.form-group-sm select.form-control{height:30px;line-height:30px}.form-group-sm textarea.form-control,.form-group-sm select[multiple].form-control{height:auto}.form-group-sm .form-control-static{height:30px;min-height:32px;padding:6px 10px;font-size:12px;line-height:1.5}.input-lg{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.form-group-lg select.form-control{height:46px;line-height:46px}.form-group-lg textarea.form-control,.form-group-lg select[multiple].form-control{height:auto}.form-group-lg .form-control-static{height:46px;min-height:38px;padding:11px 16px;font-size:18px;line-height:1.33}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:0;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center;pointer-events:none}.input-lg+.form-control-feedback,.input-group-lg+.form-control-feedback,.form-group-lg .form-control+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback,.input-group-sm+.form-control-feedback,.form-group-sm .form-control+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline,.has-success.radio label,.has-success.checkbox label,.has-success.radio-inline label,.has-success.checkbox-inline label{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;border-color:#3c763d;background-color:#dff0d8}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline,.has-warning.radio label,.has-warning.checkbox label,.has-warning.radio-inline label,.has-warning.checkbox-inline label{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;border-color:#8a6d3b;background-color:#fcf8e3}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline,.has-error.radio label,.has-error.checkbox label,.has-error.radio-inline label,.has-error.checkbox-inline label{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;border-color:#a94442;background-color:#f2dede}.has-error .form-control-feedback{color:#a94442}.has-feedback label~.form-control-feedback{top:25px}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .form-control-static{display:inline-block}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type="radio"],.form-inline .checkbox input[type="checkbox"]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{margin-top:0;margin-bottom:0;padding-top:7px}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-left:-15px;margin-right:-15px}@media (min-width:768px){.form-horizontal .control-label{text-align:right;margin-bottom:0;padding-top:7px}}.form-horizontal .has-feedback .form-control-feedback{right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:11px;font-size:18px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px;font-size:12px}}.btn{display:inline-block;margin-bottom:0;font-weight:normal;text-align:center;vertical-align:middle;-ms-touch-action:manipulation;touch-action:manipulation;cursor:pointer;background-image:none;border:1px solid transparent;white-space:nowrap;padding:6px 12px;font-size:14px;line-height:1.42857143;border-radius:4px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none}.btn:focus,.btn:active:focus,.btn.active:focus,.btn.focus,.btn:active.focus,.btn.active.focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus,.btn.focus{color:#333;text-decoration:none}.btn:active,.btn.active{outline:0;background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{cursor:not-allowed;opacity:.65;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none}a.btn.disabled,fieldset[disabled] a.btn{pointer-events:none}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:focus,.btn-default.focus{color:#333;background-color:#e6e6e6;border-color:#8c8c8c}.btn-default:hover{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active:hover,.btn-default.active:hover,.open>.dropdown-toggle.btn-default:hover,.btn-default:active:focus,.btn-default.active:focus,.open>.dropdown-toggle.btn-default:focus,.btn-default:active.focus,.btn-default.active.focus,.open>.dropdown-toggle.btn-default.focus{color:#333;background-color:#d4d4d4;border-color:#8c8c8c}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled.focus,.btn-default[disabled].focus,fieldset[disabled] .btn-default.focus{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:focus,.btn-primary.focus{color:#fff;background-color:#3071a9;border-color:#193c5a}.btn-primary:hover{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active:hover,.btn-primary.active:hover,.open>.dropdown-toggle.btn-primary:hover,.btn-primary:active:focus,.btn-primary.active:focus,.open>.dropdown-toggle.btn-primary:focus,.btn-primary:active.focus,.btn-primary.active.focus,.open>.dropdown-toggle.btn-primary.focus{color:#fff;background-color:#285e8e;border-color:#193c5a}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled.focus,.btn-primary[disabled].focus,fieldset[disabled] .btn-primary.focus{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:focus,.btn-success.focus{color:#fff;background-color:#449d44;border-color:#255625}.btn-success:hover{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active:hover,.btn-success.active:hover,.open>.dropdown-toggle.btn-success:hover,.btn-success:active:focus,.btn-success.active:focus,.open>.dropdown-toggle.btn-success:focus,.btn-success:active.focus,.btn-success.active.focus,.open>.dropdown-toggle.btn-success.focus{color:#fff;background-color:#398439;border-color:#255625}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled.focus,.btn-success[disabled].focus,fieldset[disabled] .btn-success.focus{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:focus,.btn-info.focus{color:#fff;background-color:#31b0d5;border-color:#1b6d85}.btn-info:hover{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active:hover,.btn-info.active:hover,.open>.dropdown-toggle.btn-info:hover,.btn-info:active:focus,.btn-info.active:focus,.open>.dropdown-toggle.btn-info:focus,.btn-info:active.focus,.btn-info.active.focus,.open>.dropdown-toggle.btn-info.focus{color:#fff;background-color:#269abc;border-color:#1b6d85}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled.focus,.btn-info[disabled].focus,fieldset[disabled] .btn-info.focus{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:focus,.btn-warning.focus{color:#fff;background-color:#ec971f;border-color:#985f0d}.btn-warning:hover{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active:hover,.btn-warning.active:hover,.open>.dropdown-toggle.btn-warning:hover,.btn-warning:active:focus,.btn-warning.active:focus,.open>.dropdown-toggle.btn-warning:focus,.btn-warning:active.focus,.btn-warning.active.focus,.open>.dropdown-toggle.btn-warning.focus{color:#fff;background-color:#d58512;border-color:#985f0d}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled.focus,.btn-warning[disabled].focus,fieldset[disabled] .btn-warning.focus{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:focus,.btn-danger.focus{color:#fff;background-color:#c9302c;border-color:#761c19}.btn-danger:hover{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active:hover,.btn-danger.active:hover,.open>.dropdown-toggle.btn-danger:hover,.btn-danger:active:focus,.btn-danger.active:focus,.open>.dropdown-toggle.btn-danger:focus,.btn-danger:active.focus,.btn-danger.active.focus,.open>.dropdown-toggle.btn-danger.focus{color:#fff;background-color:#ac2925;border-color:#761c19}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled.focus,.btn-danger[disabled].focus,fieldset[disabled] .btn-danger.focus{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{color:#428bca;font-weight:normal;border-radius:0}.btn-link,.btn-link:active,.btn-link.active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type="submit"].btn-block,input[type="reset"].btn-block,input[type="button"].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition-property:height, visibility;-o-transition-property:height, visibility;transition-property:height, visibility;-webkit-transition-duration:.35s;-o-transition-duration:.35s;transition-duration:.35s;-webkit-transition-timing-function:ease;-o-transition-timing-function:ease;transition-timing-function:ease}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn,.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn-group:last-child:not(:first-child)>.btn:first-child{border-bottom-left-radius:0;border-top-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-left:8px;padding-right:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-left:12px;padding-right:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-top-left-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-right-radius:0;border-top-left-radius:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-right-radius:0;border-top-left-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{float:none;display:table-cell;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle="buttons"]>.btn input[type="radio"],[data-toggle="buttons"]>.btn-group>.btn input[type="radio"],[data-toggle="buttons"]>.btn input[type="checkbox"],[data-toggle="buttons"]>.btn-group>.btn input[type="checkbox"]{position:absolute;clip:rect(0, 0, 0, 0);pointer-events:none}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*="col-"]{float:none;padding-left:0;padding-right:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group .form-control:focus{z-index:3}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:normal;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type="radio"],.input-group-addon input[type="checkbox"]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-bottom-right-radius:0;border-top-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-bottom-left-radius:0;border-top-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{z-index:2;margin-left:-1px}.nav{margin-bottom:0;padding-left:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;background-color:transparent;cursor:not-allowed}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent;cursor:default}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{text-align:center;margin-bottom:5px}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{text-align:center;margin-bottom:5px}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-right-radius:0;border-top-left-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{overflow-x:visible;padding-right:15px;padding-left:15px;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);-webkit-overflow-scrolling:touch}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block !important;height:auto !important;padding-bottom:0;overflow:visible !important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-left:0;padding-right:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-device-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;padding:15px 15px;font-size:18px;line-height:20px;height:50px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}.navbar-brand>img{display:block}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;margin-right:15px;padding:9px 10px;margin-top:8px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}}.navbar-form{margin-left:-15px;margin-right:-15px;padding:10px 15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);margin-top:8px;margin-bottom:8px}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .form-control-static{display:inline-block}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type="radio"],.navbar-form .checkbox input[type="checkbox"]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}.navbar-form .form-group:last-child{margin-bottom:0}}@media (min-width:768px){.navbar-form{width:auto;border:0;margin-left:0;margin-right:0;padding-top:0;padding-bottom:0;-webkit-box-shadow:none;box-shadow:none}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-right-radius:0;border-top-left-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{margin-bottom:0;border-top-right-radius:4px;border-top-left-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-left:15px;margin-right:15px}}@media (min-width:768px){.navbar-left{float:left !important}.navbar-right{float:right !important;margin-right:-15px}.navbar-right~.navbar-right{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{background-color:#e7e7e7;color:#555}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{background-color:#080808;color:#fff}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:bold;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:bold;color:#fff;line-height:1;vertical-align:middle;white-space:nowrap;text-align:center;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge,.btn-group-xs>.btn .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}.nav-pills>li>a>.badge{margin-left:3px}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:bold}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{background-color:#dff0d8;border-color:#d6e9c6;color:#3c763d}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{background-color:#d9edf7;border-color:#bce8f1;color:#31708f}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{background-color:#fcf8e3;border-color:#faebcc;color:#8a6d3b}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{background-color:#f2dede;border-color:#ebccd1;color:#a94442}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{overflow:hidden;height:20px;margin-bottom:20px;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,0.1);box-shadow:inset 0 1px 2px rgba(0,0,0,0.1)}.progress-bar{float:left;width:0%;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,0.05);box-shadow:0 1px 1px rgba(0,0,0,0.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-right-radius:3px;border-top-left-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a,.panel-title>small,.panel-title>.small,.panel-title>small>a,.panel-title>.small>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group,.panel>.panel-collapse>.list-group{margin-bottom:0}.panel>.list-group .list-group-item,.panel>.panel-collapse>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child,.panel>.panel-collapse>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-right-radius:3px;border-top-left-radius:3px}.panel>.list-group:last-child .list-group-item:last-child,.panel>.panel-collapse>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.panel-heading+.panel-collapse>.list-group .list-group-item:first-child{border-top-right-radius:0;border-top-left-radius:0}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table caption,.panel>.table-responsive>.table caption,.panel>.panel-collapse>.table caption{padding-left:15px;padding-right:15px}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-right-radius:3px;border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child{border-bottom-left-radius:3px;border-bottom-right-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive,.panel>.table+.panel-body,.panel>.table-responsive+.panel-body{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{border:0;margin-bottom:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body,.panel-group .panel-heading+.panel-collapse>.list-group{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.modal-open{overflow:hidden}.modal{display:none;overflow:hidden;position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transform:translate(0, -25%);-ms-transform:translate(0, -25%);-o-transform:translate(0, -25%);transform:translate(0, -25%);-webkit-transition:-webkit-transform 0.3s ease-out;-o-transition:-o-transform 0.3s ease-out;transition:transform 0.3s ease-out}.modal.in .modal-dialog{-webkit-transform:translate(0, 0);-ms-transform:translate(0, 0);-o-transform:translate(0, 0);transform:translate(0, 0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;border:1px solid #999;border:1px solid rgba(0,0,0,0.2);border-radius:6px;-webkit-box-shadow:0 3px 9px rgba(0,0,0,0.5);box-shadow:0 3px 9px rgba(0,0,0,0.5);-webkit-background-clip:padding-box;background-clip:padding-box;outline:0}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{opacity:0;filter:alpha(opacity=0)}.modal-backdrop.in{opacity:.5;filter:alpha(opacity=50)}.modal-header{padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-left:5px;margin-bottom:0}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,0.5);box-shadow:0 5px 15px rgba(0,0,0,0.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.panel-body:before,.panel-body:after,.modal-header:before,.modal-header:after,.modal-footer:before,.modal-footer:after{content:" ";display:table}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.panel-body:after,.modal-header:after,.modal-footer:after{clear:both}.center-block{display:block;margin-left:auto;margin-right:auto}.pull-right{float:right !important}.pull-left{float:left !important}.hide{display:none !important}.show{display:block !important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none !important}.affix{position:fixed}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none !important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none !important}@media (max-width:767px){.visible-xs{display:block !important}table.visible-xs{display:table !important}tr.visible-xs{display:table-row !important}th.visible-xs,td.visible-xs{display:table-cell !important}}@media (max-width:767px){.visible-xs-block{display:block !important}}@media (max-width:767px){.visible-xs-inline{display:inline !important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block !important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block !important}table.visible-sm{display:table !important}tr.visible-sm{display:table-row !important}th.visible-sm,td.visible-sm{display:table-cell !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block !important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block !important}table.visible-md{display:table !important}tr.visible-md{display:table-row !important}th.visible-md,td.visible-md{display:table-cell !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block !important}}@media (min-width:1200px){.visible-lg{display:block !important}table.visible-lg{display:table !important}tr.visible-lg{display:table-row !important}th.visible-lg,td.visible-lg{display:table-cell !important}}@media (min-width:1200px){.visible-lg-block{display:block !important}}@media (min-width:1200px){.visible-lg-inline{display:inline !important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block !important}}@media (max-width:767px){.hidden-xs{display:none !important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none !important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none !important}}@media (min-width:1200px){.hidden-lg{display:none !important}}.visible-print{display:none !important}@media print{.visible-print{display:block !important}table.visible-print{display:table !important}tr.visible-print{display:table-row !important}th.visible-print,td.visible-print{display:table-cell !important}}.visible-print-block{display:none !important}@media print{.visible-print-block{display:block !important}}.visible-print-inline{display:none !important}@media print{.visible-print-inline{display:inline !important}}.visible-print-inline-block{display:none !important}@media print{.visible-print-inline-block{display:inline-block !important}}@media print{.hidden-print{display:none !important}} >table.treetable span.indenter{display:inline-block;margin:0;padding:0;text-align:right;user-select:none;-khtml-user-select:none;-moz-user-select:none;-o-user-select:none;-webkit-user-select:none;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;width:19px}table.treetable span.indenter a{background-position:left center;background-repeat:no-repeat;display:inline-block;text-decoration:none;width:19px}table.treetable tr.collapsed span.indenter a{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAHlJREFUeNrcU1sNgDAQ6wgmcAM2MICGGlg1gJnNzWQcvwQGy1j4oUl/7tH0mpwzM7SgQyO+EZAUWh2MkkzSWhJwuRAlHYsJwEwyvs1gABDuzqoJcTw5qxaIJN0bgQRgIjnlmn1heSO5PE6Y2YXe+5Cr5+h++gs12AcAS6FS+7YOsj4AAAAASUVORK5CYII=)}table.treetable tr.expanded span.indenter a{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAHFJREFUeNpi/P//PwMlgImBQsA44C6gvhfa29v3MzAwOODRc6CystIRbxi0t7fjDJjKykpGYrwwi1hxnLHQ3t7+jIGBQRJJ6HllZaUUKYEYRYBPOB0gBShKwKGA////48VtbW3/8clTnBIH3gCKkzJgAGvBX0dDm0sCAAAAAElFTkSuQmCC)}table.treetable tr.branch{background-color:#f9f9f9}table.treetable tr.selected{background-color:#3875d7;color:#fff}table.treetable tr span.indenter a{outline:0}tr.rule-overview-needs-attention td a{color:#d9534f}td.rule-result div,span.rule-result{text-align:center;font-weight:bold;color:#fff;background:gray}td.rule-result-fail div,span.rule-result-fail{background:#d9534f}td.rule-result-error div,span.rule-result-error{background:#d9534f}td.rule-result-unknown div,span.rule-result-unknown{background:#f0ad4e}td.rule-result-pass div,span.rule-result-pass{background:#5cb85c}td.rule-result-fixed div,span.rule-result-fixed{background:#5cb85c}.js-only{display:none}.rule-result-filtered,.rule-result-filtered>*{display:none !important}.search-no-match,.search-no-match>*{display:none !important}.rule-detail-fail,.rule-detail-error,.rule-detail-unknown{border:2px solid #d9534f}#footer{text-align:center;margin-top:50px}pre{overflow:auto !important;word-wrap:normal !important;white-space:pre-wrap}div.check-system-details,div.remediation,div.description{width:0;min-width:100%;overflow-x:auto}div.profile-description{white-space:pre-wrap}div.modal-body{margin:50px;padding:0}div.horizontal-scroll{overflow-x:auto}div.top-spacer-10{margin-top:10px}@media print{.noprint{display:none}.label{border:0;padding:0}.container{width:100%}abbr[title]{border:0;text-decoration:none}div.progress{overflow:visible;height:auto}div.progress-bar{width:auto;float:none;width:auto !important;text-align:left}div.panel-body{padding:4px}}</style><script> >/*! jQuery v1.12.4 | (c) jQuery Foundation | jquery.org/license */ >!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.toString,k=i.hasOwnProperty,l={},m="1.12.4",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return e.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a){return n.each(this,a)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(e.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor()},push:g,sort:c.sort,splice:c.splice},n.extend=n.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||n.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(e=arguments[h]))for(d in e)a=g[d],c=e[d],g!==c&&(j&&c&&(n.isPlainObject(c)||(b=n.isArray(c)))?(b?(b=!1,f=a&&n.isArray(a)?a:[]):f=a&&n.isPlainObject(a)?a:{},g[d]=n.extend(j,f,c)):void 0!==c&&(g[d]=c));return g},n.extend({expando:"jQuery"+(m+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===n.type(a)},isArray:Array.isArray||function(a){return"array"===n.type(a)},isWindow:function(a){return null!=a&&a==a.window},isNumeric:function(a){var b=a&&a.toString();return!n.isArray(a)&&b-parseFloat(b)+1>=0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},isPlainObject:function(a){var b;if(!a||"object"!==n.type(a)||a.nodeType||n.isWindow(a))return!1;try{if(a.constructor&&!k.call(a,"constructor")&&!k.call(a.constructor.prototype,"isPrototypeOf"))return!1}catch(c){return!1}if(!l.ownFirst)for(b in a)return k.call(a,b);for(b in a);return void 0===b||k.call(a,b)},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?i[j.call(a)]||"object":typeof a},globalEval:function(b){b&&n.trim(b)&&(a.execScript||function(b){a.eval.call(a,b)})(b)},camelCase:function(a){return a.replace(p,"ms-").replace(q,r)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b){var c,d=0;if(s(a)){for(c=a.length;c>d;d++)if(b.call(a[d],d,a[d])===!1)break}else for(d in a)if(b.call(a[d],d,a[d])===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(o,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(s(Object(a))?n.merge(c,"string"==typeof a?[a]:a):g.call(c,a)),c},inArray:function(a,b,c){var d;if(b){if(h)return h.call(b,a,c);for(d=b.length,c=c?0>c?Math.max(0,d+c):c:0;d>c;c++)if(c in b&&b[c]===a)return c}return-1},merge:function(a,b){var c=+b.length,d=0,e=a.length;while(c>d)a[e++]=b[d++];if(c!==c)while(void 0!==b[d])a[e++]=b[d++];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,e,g=0,h=[];if(s(a))for(d=a.length;d>g;g++)e=b(a[g],g,c),null!=e&&h.push(e);else for(g in a)e=b(a[g],g,c),null!=e&&h.push(e);return f.apply([],h)},guid:1,proxy:function(a,b){var c,d,f;return"string"==typeof b&&(f=a[b],b=a,a=f),n.isFunction(a)?(c=e.call(arguments,2),d=function(){return a.apply(b||this,c.concat(e.call(arguments)))},d.guid=a.guid=a.guid||n.guid++,d):void 0},now:function(){return+new Date},support:l}),"function"==typeof Symbol&&(n.fn[Symbol.iterator]=c[Symbol.iterator]),n.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(a,b){i["[object "+b+"]"]=b.toLowerCase()});function s(a){var b=!!a&&"length"in a&&a.length,c=n.type(a);return"function"===c||n.isWindow(a)?!1:"array"===c||0===b||"number"==typeof b&&b>0&&b-1 in a}var t=function(a){var b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u="sizzle"+1*new Date,v=a.document,w=0,x=0,y=ga(),z=ga(),A=ga(),B=function(a,b){return a===b&&(l=!0),0},C=1<<31,D={}.hasOwnProperty,E=[],F=E.pop,G=E.push,H=E.push,I=E.slice,J=function(a,b){for(var c=0,d=a.length;d>c;c++)if(a[c]===b)return c;return-1},K="checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",L="[\\x20\\t\\r\\n\\f]",M="(?:\\\\.|[\\w-]|[^\\x00-\\xa0])+",N="\\["+L+"*("+M+")(?:"+L+"*([*^$|!~]?=)"+L+"*(?:'((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\"|("+M+"))|)"+L+"*\\]",O=":("+M+")(?:\\((('((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\")|((?:\\\\.|[^\\\\()[\\]]|"+N+")*)|.*)\\)|)",P=new RegExp(L+"+","g"),Q=new RegExp("^"+L+"+|((?:^|[^\\\\])(?:\\\\.)*)"+L+"+$","g"),R=new RegExp("^"+L+"*,"+L+"*"),S=new RegExp("^"+L+"*([>+~]|"+L+")"+L+"*"),T=new RegExp("="+L+"*([^\\]'\"]*?)"+L+"*\\]","g"),U=new RegExp(O),V=new RegExp("^"+M+"$"),W={ID:new RegExp("^#("+M+")"),CLASS:new RegExp("^\\.("+M+")"),TAG:new RegExp("^("+M+"|[*])"),ATTR:new RegExp("^"+N),PSEUDO:new RegExp("^"+O),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+L+"*(even|odd|(([+-]|)(\\d*)n|)"+L+"*(?:([+-]|)"+L+"*(\\d+)|))"+L+"*\\)|)","i"),bool:new RegExp("^(?:"+K+")$","i"),needsContext:new RegExp("^"+L+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+L+"*((?:-\\d)?\\d*)"+L+"*\\)|)(?=[^-]|$)","i")},X=/^(?:input|select|textarea|button)$/i,Y=/^h\d$/i,Z=/^[^{]+\{\s*\[native \w/,$=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,_=/[+~]/,aa=/'|\\/g,ba=new RegExp("\\\\([\\da-f]{1,6}"+L+"?|("+L+")|.)","ig"),ca=function(a,b,c){var d="0x"+b-65536;return d!==d||c?b:0>d?String.fromCharCode(d+65536):String.fromCharCode(d>>10|55296,1023&d|56320)},da=function(){m()};try{H.apply(E=I.call(v.childNodes),v.childNodes),E[v.childNodes.length].nodeType}catch(ea){H={apply:E.length?function(a,b){G.apply(a,I.call(b))}:function(a,b){var c=a.length,d=0;while(a[c++]=b[d++]);a.length=c-1}}}function fa(a,b,d,e){var f,h,j,k,l,o,r,s,w=b&&b.ownerDocument,x=b?b.nodeType:9;if(d=d||[],"string"!=typeof a||!a||1!==x&&9!==x&&11!==x)return d;if(!e&&((b?b.ownerDocument||b:v)!==n&&m(b),b=b||n,p)){if(11!==x&&(o=$.exec(a)))if(f=o[1]){if(9===x){if(!(j=b.getElementById(f)))return d;if(j.id===f)return d.push(j),d}else if(w&&(j=w.getElementById(f))&&t(b,j)&&j.id===f)return d.push(j),d}else{if(o[2])return H.apply(d,b.getElementsByTagName(a)),d;if((f=o[3])&&c.getElementsByClassName&&b.getElementsByClassName)return H.apply(d,b.getElementsByClassName(f)),d}if(c.qsa&&!A[a+" "]&&(!q||!q.test(a))){if(1!==x)w=b,s=a;else if("object"!==b.nodeName.toLowerCase()){(k=b.getAttribute("id"))?k=k.replace(aa,"\\$&"):b.setAttribute("id",k=u),r=g(a),h=r.length,l=V.test(k)?"#"+k:"[id='"+k+"']";while(h--)r[h]=l+" "+qa(r[h]);s=r.join(","),w=_.test(a)&&oa(b.parentNode)||b}if(s)try{return H.apply(d,w.querySelectorAll(s)),d}catch(y){}finally{k===u&&b.removeAttribute("id")}}}return i(a.replace(Q,"$1"),b,d,e)}function ga(){var a=[];function b(c,e){return a.push(c+" ")>d.cacheLength&&delete b[a.shift()],b[c+" "]=e}return b}function ha(a){return a[u]=!0,a}function ia(a){var b=n.createElement("div");try{return!!a(b)}catch(c){return!1}finally{b.parentNode&&b.parentNode.removeChild(b),b=null}}function ja(a,b){var c=a.split("|"),e=c.length;while(e--)d.attrHandle[c[e]]=b}function ka(a,b){var c=b&&a,d=c&&1===a.nodeType&&1===b.nodeType&&(~b.sourceIndex||C)-(~a.sourceIndex||C);if(d)return d;if(c)while(c=c.nextSibling)if(c===b)return-1;return a?1:-1}function la(a){return function(b){var c=b.nodeName.toLowerCase();return"input"===c&&b.type===a}}function ma(a){return function(b){var c=b.nodeName.toLowerCase();return("input"===c||"button"===c)&&b.type===a}}function na(a){return ha(function(b){return b=+b,ha(function(c,d){var e,f=a([],c.length,b),g=f.length;while(g--)c[e=f[g]]&&(c[e]=!(d[e]=c[e]))})})}function oa(a){return a&&"undefined"!=typeof a.getElementsByTagName&&a}c=fa.support={},f=fa.isXML=function(a){var b=a&&(a.ownerDocument||a).documentElement;return b?"HTML"!==b.nodeName:!1},m=fa.setDocument=function(a){var b,e,g=a?a.ownerDocument||a:v;return g!==n&&9===g.nodeType&&g.documentElement?(n=g,o=n.documentElement,p=!f(n),(e=n.defaultView)&&e.top!==e&&(e.addEventListener?e.addEventListener("unload",da,!1):e.attachEvent&&e.attachEvent("onunload",da)),c.attributes=ia(function(a){return a.className="i",!a.getAttribute("className")}),c.getElementsByTagName=ia(function(a){return a.appendChild(n.createComment("")),!a.getElementsByTagName("*").length}),c.getElementsByClassName=Z.test(n.getElementsByClassName),c.getById=ia(function(a){return o.appendChild(a).id=u,!n.getElementsByName||!n.getElementsByName(u).length}),c.getById?(d.find.ID=function(a,b){if("undefined"!=typeof b.getElementById&&p){var c=b.getElementById(a);return c?[c]:[]}},d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){return a.getAttribute("id")===b}}):(delete d.find.ID,d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){var c="undefined"!=typeof a.getAttributeNode&&a.getAttributeNode("id");return c&&c.value===b}}),d.find.TAG=c.getElementsByTagName?function(a,b){return"undefined"!=typeof b.getElementsByTagName?b.getElementsByTagName(a):c.qsa?b.querySelectorAll(a):void 0}:function(a,b){var c,d=[],e=0,f=b.getElementsByTagName(a);if("*"===a){while(c=f[e++])1===c.nodeType&&d.push(c);return d}return f},d.find.CLASS=c.getElementsByClassName&&function(a,b){return"undefined"!=typeof b.getElementsByClassName&&p?b.getElementsByClassName(a):void 0},r=[],q=[],(c.qsa=Z.test(n.querySelectorAll))&&(ia(function(a){o.appendChild(a).innerHTML="<a id='"+u+"'></a><select id='"+u+"-\r\\' msallowcapture=''><option selected=''></option></select>",a.querySelectorAll("[msallowcapture^='']").length&&q.push("[*^$]="+L+"*(?:''|\"\")"),a.querySelectorAll("[selected]").length||q.push("\\["+L+"*(?:value|"+K+")"),a.querySelectorAll("[id~="+u+"-]").length||q.push("~="),a.querySelectorAll(":checked").length||q.push(":checked"),a.querySelectorAll("a#"+u+"+*").length||q.push(".#.+[+~]")}),ia(function(a){var b=n.createElement("input");b.setAttribute("type","hidden"),a.appendChild(b).setAttribute("name","D"),a.querySelectorAll("[name=d]").length&&q.push("name"+L+"*[*^$|!~]?="),a.querySelectorAll(":enabled").length||q.push(":enabled",":disabled"),a.querySelectorAll("*,:x"),q.push(",.*:")})),(c.matchesSelector=Z.test(s=o.matches||o.webkitMatchesSelector||o.mozMatchesSelector||o.oMatchesSelector||o.msMatchesSelector))&&ia(function(a){c.disconnectedMatch=s.call(a,"div"),s.call(a,"[s!='']:x"),r.push("!=",O)}),q=q.length&&new RegExp(q.join("|")),r=r.length&&new RegExp(r.join("|")),b=Z.test(o.compareDocumentPosition),t=b||Z.test(o.contains)?function(a,b){var c=9===a.nodeType?a.documentElement:a,d=b&&b.parentNode;return a===d||!(!d||1!==d.nodeType||!(c.contains?c.contains(d):a.compareDocumentPosition&&16&a.compareDocumentPosition(d)))}:function(a,b){if(b)while(b=b.parentNode)if(b===a)return!0;return!1},B=b?function(a,b){if(a===b)return l=!0,0;var d=!a.compareDocumentPosition-!b.compareDocumentPosition;return d?d:(d=(a.ownerDocument||a)===(b.ownerDocument||b)?a.compareDocumentPosition(b):1,1&d||!c.sortDetached&&b.compareDocumentPosition(a)===d?a===n||a.ownerDocument===v&&t(v,a)?-1:b===n||b.ownerDocument===v&&t(v,b)?1:k?J(k,a)-J(k,b):0:4&d?-1:1)}:function(a,b){if(a===b)return l=!0,0;var c,d=0,e=a.parentNode,f=b.parentNode,g=[a],h=[b];if(!e||!f)return a===n?-1:b===n?1:e?-1:f?1:k?J(k,a)-J(k,b):0;if(e===f)return ka(a,b);c=a;while(c=c.parentNode)g.unshift(c);c=b;while(c=c.parentNode)h.unshift(c);while(g[d]===h[d])d++;return d?ka(g[d],h[d]):g[d]===v?-1:h[d]===v?1:0},n):n},fa.matches=function(a,b){return fa(a,null,null,b)},fa.matchesSelector=function(a,b){if((a.ownerDocument||a)!==n&&m(a),b=b.replace(T,"='$1']"),c.matchesSelector&&p&&!A[b+" "]&&(!r||!r.test(b))&&(!q||!q.test(b)))try{var d=s.call(a,b);if(d||c.disconnectedMatch||a.document&&11!==a.document.nodeType)return d}catch(e){}return fa(b,n,null,[a]).length>0},fa.contains=function(a,b){return(a.ownerDocument||a)!==n&&m(a),t(a,b)},fa.attr=function(a,b){(a.ownerDocument||a)!==n&&m(a);var e=d.attrHandle[b.toLowerCase()],f=e&&D.call(d.attrHandle,b.toLowerCase())?e(a,b,!p):void 0;return void 0!==f?f:c.attributes||!p?a.getAttribute(b):(f=a.getAttributeNode(b))&&f.specified?f.value:null},fa.error=function(a){throw new Error("Syntax error, unrecognized expression: "+a)},fa.uniqueSort=function(a){var b,d=[],e=0,f=0;if(l=!c.detectDuplicates,k=!c.sortStable&&a.slice(0),a.sort(B),l){while(b=a[f++])b===a[f]&&(e=d.push(f));while(e--)a.splice(d[e],1)}return k=null,a},e=fa.getText=function(a){var b,c="",d=0,f=a.nodeType;if(f){if(1===f||9===f||11===f){if("string"==typeof a.textContent)return a.textContent;for(a=a.firstChild;a;a=a.nextSibling)c+=e(a)}else if(3===f||4===f)return a.nodeValue}else while(b=a[d++])c+=e(b);return c},d=fa.selectors={cacheLength:50,createPseudo:ha,match:W,attrHandle:{},find:{},relative:{">":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(a){return a[1]=a[1].replace(ba,ca),a[3]=(a[3]||a[4]||a[5]||"").replace(ba,ca),"~="===a[2]&&(a[3]=" "+a[3]+" "),a.slice(0,4)},CHILD:function(a){return a[1]=a[1].toLowerCase(),"nth"===a[1].slice(0,3)?(a[3]||fa.error(a[0]),a[4]=+(a[4]?a[5]+(a[6]||1):2*("even"===a[3]||"odd"===a[3])),a[5]=+(a[7]+a[8]||"odd"===a[3])):a[3]&&fa.error(a[0]),a},PSEUDO:function(a){var b,c=!a[6]&&a[2];return W.CHILD.test(a[0])?null:(a[3]?a[2]=a[4]||a[5]||"":c&&U.test(c)&&(b=g(c,!0))&&(b=c.indexOf(")",c.length-b)-c.length)&&(a[0]=a[0].slice(0,b),a[2]=c.slice(0,b)),a.slice(0,3))}},filter:{TAG:function(a){var b=a.replace(ba,ca).toLowerCase();return"*"===a?function(){return!0}:function(a){return a.nodeName&&a.nodeName.toLowerCase()===b}},CLASS:function(a){var b=y[a+" "];return b||(b=new RegExp("(^|"+L+")"+a+"("+L+"|$)"))&&y(a,function(a){return b.test("string"==typeof a.className&&a.className||"undefined"!=typeof a.getAttribute&&a.getAttribute("class")||"")})},ATTR:function(a,b,c){return function(d){var e=fa.attr(d,a);return null==e?"!="===b:b?(e+="","="===b?e===c:"!="===b?e!==c:"^="===b?c&&0===e.indexOf(c):"*="===b?c&&e.indexOf(c)>-1:"$="===b?c&&e.slice(-c.length)===c:"~="===b?(" "+e.replace(P," ")+" ").indexOf(c)>-1:"|="===b?e===c||e.slice(0,c.length+1)===c+"-":!1):!0}},CHILD:function(a,b,c,d,e){var f="nth"!==a.slice(0,3),g="last"!==a.slice(-4),h="of-type"===b;return 1===d&&0===e?function(a){return!!a.parentNode}:function(b,c,i){var j,k,l,m,n,o,p=f!==g?"nextSibling":"previousSibling",q=b.parentNode,r=h&&b.nodeName.toLowerCase(),s=!i&&!h,t=!1;if(q){if(f){while(p){m=b;while(m=m[p])if(h?m.nodeName.toLowerCase()===r:1===m.nodeType)return!1;o=p="only"===a&&!o&&"nextSibling"}return!0}if(o=[g?q.firstChild:q.lastChild],g&&s){m=q,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n&&j[2],m=n&&q.childNodes[n];while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if(1===m.nodeType&&++t&&m===b){k[a]=[w,n,t];break}}else if(s&&(m=b,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n),t===!1)while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if((h?m.nodeName.toLowerCase()===r:1===m.nodeType)&&++t&&(s&&(l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),k[a]=[w,t]),m===b))break;return t-=e,t===d||t%d===0&&t/d>=0}}},PSEUDO:function(a,b){var c,e=d.pseudos[a]||d.setFilters[a.toLowerCase()]||fa.error("unsupported pseudo: "+a);return e[u]?e(b):e.length>1?(c=[a,a,"",b],d.setFilters.hasOwnProperty(a.toLowerCase())?ha(function(a,c){var d,f=e(a,b),g=f.length;while(g--)d=J(a,f[g]),a[d]=!(c[d]=f[g])}):function(a){return e(a,0,c)}):e}},pseudos:{not:ha(function(a){var b=[],c=[],d=h(a.replace(Q,"$1"));return d[u]?ha(function(a,b,c,e){var f,g=d(a,null,e,[]),h=a.length;while(h--)(f=g[h])&&(a[h]=!(b[h]=f))}):function(a,e,f){return b[0]=a,d(b,null,f,c),b[0]=null,!c.pop()}}),has:ha(function(a){return function(b){return fa(a,b).length>0}}),contains:ha(function(a){return a=a.replace(ba,ca),function(b){return(b.textContent||b.innerText||e(b)).indexOf(a)>-1}}),lang:ha(function(a){return V.test(a||"")||fa.error("unsupported lang: "+a),a=a.replace(ba,ca).toLowerCase(),function(b){var c;do if(c=p?b.lang:b.getAttribute("xml:lang")||b.getAttribute("lang"))return c=c.toLowerCase(),c===a||0===c.indexOf(a+"-");while((b=b.parentNode)&&1===b.nodeType);return!1}}),target:function(b){var c=a.location&&a.location.hash;return c&&c.slice(1)===b.id},root:function(a){return a===o},focus:function(a){return a===n.activeElement&&(!n.hasFocus||n.hasFocus())&&!!(a.type||a.href||~a.tabIndex)},enabled:function(a){return a.disabled===!1},disabled:function(a){return a.disabled===!0},checked:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&!!a.checked||"option"===b&&!!a.selected},selected:function(a){return a.parentNode&&a.parentNode.selectedIndex,a.selected===!0},empty:function(a){for(a=a.firstChild;a;a=a.nextSibling)if(a.nodeType<6)return!1;return!0},parent:function(a){return!d.pseudos.empty(a)},header:function(a){return Y.test(a.nodeName)},input:function(a){return X.test(a.nodeName)},button:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&"button"===a.type||"button"===b},text:function(a){var b;return"input"===a.nodeName.toLowerCase()&&"text"===a.type&&(null==(b=a.getAttribute("type"))||"text"===b.toLowerCase())},first:na(function(){return[0]}),last:na(function(a,b){return[b-1]}),eq:na(function(a,b,c){return[0>c?c+b:c]}),even:na(function(a,b){for(var c=0;b>c;c+=2)a.push(c);return a}),odd:na(function(a,b){for(var c=1;b>c;c+=2)a.push(c);return a}),lt:na(function(a,b,c){for(var d=0>c?c+b:c;--d>=0;)a.push(d);return a}),gt:na(function(a,b,c){for(var d=0>c?c+b:c;++d<b;)a.push(d);return a})}},d.pseudos.nth=d.pseudos.eq;for(b in{radio:!0,checkbox:!0,file:!0,password:!0,image:!0})d.pseudos[b]=la(b);for(b in{submit:!0,reset:!0})d.pseudos[b]=ma(b);function pa(){}pa.prototype=d.filters=d.pseudos,d.setFilters=new pa,g=fa.tokenize=function(a,b){var c,e,f,g,h,i,j,k=z[a+" "];if(k)return b?0:k.slice(0);h=a,i=[],j=d.preFilter;while(h){c&&!(e=R.exec(h))||(e&&(h=h.slice(e[0].length)||h),i.push(f=[])),c=!1,(e=S.exec(h))&&(c=e.shift(),f.push({value:c,type:e[0].replace(Q," ")}),h=h.slice(c.length));for(g in d.filter)!(e=W[g].exec(h))||j[g]&&!(e=j[g](e))||(c=e.shift(),f.push({value:c,type:g,matches:e}),h=h.slice(c.length));if(!c)break}return b?h.length:h?fa.error(a):z(a,i).slice(0)};function qa(a){for(var b=0,c=a.length,d="";c>b;b++)d+=a[b].value;return d}function ra(a,b,c){var d=b.dir,e=c&&"parentNode"===d,f=x++;return b.first?function(b,c,f){while(b=b[d])if(1===b.nodeType||e)return a(b,c,f)}:function(b,c,g){var h,i,j,k=[w,f];if(g){while(b=b[d])if((1===b.nodeType||e)&&a(b,c,g))return!0}else while(b=b[d])if(1===b.nodeType||e){if(j=b[u]||(b[u]={}),i=j[b.uniqueID]||(j[b.uniqueID]={}),(h=i[d])&&h[0]===w&&h[1]===f)return k[2]=h[2];if(i[d]=k,k[2]=a(b,c,g))return!0}}}function sa(a){return a.length>1?function(b,c,d){var e=a.length;while(e--)if(!a[e](b,c,d))return!1;return!0}:a[0]}function ta(a,b,c){for(var d=0,e=b.length;e>d;d++)fa(a,b[d],c);return c}function ua(a,b,c,d,e){for(var f,g=[],h=0,i=a.length,j=null!=b;i>h;h++)(f=a[h])&&(c&&!c(f,d,e)||(g.push(f),j&&b.push(h)));return g}function va(a,b,c,d,e,f){return d&&!d[u]&&(d=va(d)),e&&!e[u]&&(e=va(e,f)),ha(function(f,g,h,i){var j,k,l,m=[],n=[],o=g.length,p=f||ta(b||"*",h.nodeType?[h]:h,[]),q=!a||!f&&b?p:ua(p,m,a,h,i),r=c?e||(f?a:o||d)?[]:g:q;if(c&&c(q,r,h,i),d){j=ua(r,n),d(j,[],h,i),k=j.length;while(k--)(l=j[k])&&(r[n[k]]=!(q[n[k]]=l))}if(f){if(e||a){if(e){j=[],k=r.length;while(k--)(l=r[k])&&j.push(q[k]=l);e(null,r=[],j,i)}k=r.length;while(k--)(l=r[k])&&(j=e?J(f,l):m[k])>-1&&(f[j]=!(g[j]=l))}}else r=ua(r===g?r.splice(o,r.length):r),e?e(null,g,r,i):H.apply(g,r)})}function wa(a){for(var b,c,e,f=a.length,g=d.relative[a[0].type],h=g||d.relative[" "],i=g?1:0,k=ra(function(a){return a===b},h,!0),l=ra(function(a){return J(b,a)>-1},h,!0),m=[function(a,c,d){var e=!g&&(d||c!==j)||((b=c).nodeType?k(a,c,d):l(a,c,d));return b=null,e}];f>i;i++)if(c=d.relative[a[i].type])m=[ra(sa(m),c)];else{if(c=d.filter[a[i].type].apply(null,a[i].matches),c[u]){for(e=++i;f>e;e++)if(d.relative[a[e].type])break;return va(i>1&&sa(m),i>1&&qa(a.slice(0,i-1).concat({value:" "===a[i-2].type?"*":""})).replace(Q,"$1"),c,e>i&&wa(a.slice(i,e)),f>e&&wa(a=a.slice(e)),f>e&&qa(a))}m.push(c)}return sa(m)}function xa(a,b){var c=b.length>0,e=a.length>0,f=function(f,g,h,i,k){var l,o,q,r=0,s="0",t=f&&[],u=[],v=j,x=f||e&&d.find.TAG("*",k),y=w+=null==v?1:Math.random()||.1,z=x.length;for(k&&(j=g===n||g||k);s!==z&&null!=(l=x[s]);s++){if(e&&l){o=0,g||l.ownerDocument===n||(m(l),h=!p);while(q=a[o++])if(q(l,g||n,h)){i.push(l);break}k&&(w=y)}c&&((l=!q&&l)&&r--,f&&t.push(l))}if(r+=s,c&&s!==r){o=0;while(q=b[o++])q(t,u,g,h);if(f){if(r>0)while(s--)t[s]||u[s]||(u[s]=F.call(i));u=ua(u)}H.apply(i,u),k&&!f&&u.length>0&&r+b.length>1&&fa.uniqueSort(i)}return k&&(w=y,j=v),t};return c?ha(f):f}return h=fa.compile=function(a,b){var c,d=[],e=[],f=A[a+" "];if(!f){b||(b=g(a)),c=b.length;while(c--)f=wa(b[c]),f[u]?d.push(f):e.push(f);f=A(a,xa(e,d)),f.selector=a}return f},i=fa.select=function(a,b,e,f){var i,j,k,l,m,n="function"==typeof a&&a,o=!f&&g(a=n.selector||a);if(e=e||[],1===o.length){if(j=o[0]=o[0].slice(0),j.length>2&&"ID"===(k=j[0]).type&&c.getById&&9===b.nodeType&&p&&d.relative[j[1].type]){if(b=(d.find.ID(k.matches[0].replace(ba,ca),b)||[])[0],!b)return e;n&&(b=b.parentNode),a=a.slice(j.shift().value.length)}i=W.needsContext.test(a)?0:j.length;while(i--){if(k=j[i],d.relative[l=k.type])break;if((m=d.find[l])&&(f=m(k.matches[0].replace(ba,ca),_.test(j[0].type)&&oa(b.parentNode)||b))){if(j.splice(i,1),a=f.length&&qa(j),!a)return H.apply(e,f),e;break}}}return(n||h(a,o))(f,b,!p,e,!b||_.test(a)&&oa(b.parentNode)||b),e},c.sortStable=u.split("").sort(B).join("")===u,c.detectDuplicates=!!l,m(),c.sortDetached=ia(function(a){return 1&a.compareDocumentPosition(n.createElement("div"))}),ia(function(a){return a.innerHTML="<a href='#'></a>","#"===a.firstChild.getAttribute("href")})||ja("type|href|height|width",function(a,b,c){return c?void 0:a.getAttribute(b,"type"===b.toLowerCase()?1:2)}),c.attributes&&ia(function(a){return a.innerHTML="<input/>",a.firstChild.setAttribute("value",""),""===a.firstChild.getAttribute("value")})||ja("value",function(a,b,c){return c||"input"!==a.nodeName.toLowerCase()?void 0:a.defaultValue}),ia(function(a){return null==a.getAttribute("disabled")})||ja(K,function(a,b,c){var d;return c?void 0:a[b]===!0?b.toLowerCase():(d=a.getAttributeNode(b))&&d.specified?d.value:null}),fa}(a);n.find=t,n.expr=t.selectors,n.expr[":"]=n.expr.pseudos,n.uniqueSort=n.unique=t.uniqueSort,n.text=t.getText,n.isXMLDoc=t.isXML,n.contains=t.contains;var u=function(a,b,c){var d=[],e=void 0!==c;while((a=a[b])&&9!==a.nodeType)if(1===a.nodeType){if(e&&n(a).is(c))break;d.push(a)}return d},v=function(a,b){for(var c=[];a;a=a.nextSibling)1===a.nodeType&&a!==b&&c.push(a);return c},w=n.expr.match.needsContext,x=/^<([\w-]+)\s*\/?>(?:<\/\1>|)$/,y=/^.[^:#\[\.,]*$/;function z(a,b,c){if(n.isFunction(b))return n.grep(a,function(a,d){return!!b.call(a,d,a)!==c});if(b.nodeType)return n.grep(a,function(a){return a===b!==c});if("string"==typeof b){if(y.test(b))return n.filter(b,a,c);b=n.filter(b,a)}return n.grep(a,function(a){return n.inArray(a,b)>-1!==c})}n.filter=function(a,b,c){var d=b[0];return c&&(a=":not("+a+")"),1===b.length&&1===d.nodeType?n.find.matchesSelector(d,a)?[d]:[]:n.find.matches(a,n.grep(b,function(a){return 1===a.nodeType}))},n.fn.extend({find:function(a){var b,c=[],d=this,e=d.length;if("string"!=typeof a)return this.pushStack(n(a).filter(function(){for(b=0;e>b;b++)if(n.contains(d[b],this))return!0}));for(b=0;e>b;b++)n.find(a,d[b],c);return c=this.pushStack(e>1?n.unique(c):c),c.selector=this.selector?this.selector+" "+a:a,c},filter:function(a){return this.pushStack(z(this,a||[],!1))},not:function(a){return this.pushStack(z(this,a||[],!0))},is:function(a){return!!z(this,"string"==typeof a&&w.test(a)?n(a):a||[],!1).length}});var A,B=/^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]*))$/,C=n.fn.init=function(a,b,c){var e,f;if(!a)return this;if(c=c||A,"string"==typeof a){if(e="<"===a.charAt(0)&&">"===a.charAt(a.length-1)&&a.length>=3?[null,a,null]:B.exec(a),!e||!e[1]&&b)return!b||b.jquery?(b||c).find(a):this.constructor(b).find(a);if(e[1]){if(b=b instanceof n?b[0]:b,n.merge(this,n.parseHTML(e[1],b&&b.nodeType?b.ownerDocument||b:d,!0)),x.test(e[1])&&n.isPlainObject(b))for(e in b)n.isFunction(this[e])?this[e](b[e]):this.attr(e,b[e]);return this}if(f=d.getElementById(e[2]),f&&f.parentNode){if(f.id!==e[2])return A.find(a);this.length=1,this[0]=f}return this.context=d,this.selector=a,this}return a.nodeType?(this.context=this[0]=a,this.length=1,this):n.isFunction(a)?"undefined"!=typeof c.ready?c.ready(a):a(n):(void 0!==a.selector&&(this.selector=a.selector,this.context=a.context),n.makeArray(a,this))};C.prototype=n.fn,A=n(d);var D=/^(?:parents|prev(?:Until|All))/,E={children:!0,contents:!0,next:!0,prev:!0};n.fn.extend({has:function(a){var b,c=n(a,this),d=c.length;return this.filter(function(){for(b=0;d>b;b++)if(n.contains(this,c[b]))return!0})},closest:function(a,b){for(var c,d=0,e=this.length,f=[],g=w.test(a)||"string"!=typeof a?n(a,b||this.context):0;e>d;d++)for(c=this[d];c&&c!==b;c=c.parentNode)if(c.nodeType<11&&(g?g.index(c)>-1:1===c.nodeType&&n.find.matchesSelector(c,a))){f.push(c);break}return this.pushStack(f.length>1?n.uniqueSort(f):f)},index:function(a){return a?"string"==typeof a?n.inArray(this[0],n(a)):n.inArray(a.jquery?a[0]:a,this):this[0]&&this[0].parentNode?this.first().prevAll().length:-1},add:function(a,b){return this.pushStack(n.uniqueSort(n.merge(this.get(),n(a,b))))},addBack:function(a){return this.add(null==a?this.prevObject:this.prevObject.filter(a))}});function F(a,b){do a=a[b];while(a&&1!==a.nodeType);return a}n.each({parent:function(a){var b=a.parentNode;return b&&11!==b.nodeType?b:null},parents:function(a){return u(a,"parentNode")},parentsUntil:function(a,b,c){return u(a,"parentNode",c)},next:function(a){return F(a,"nextSibling")},prev:function(a){return F(a,"previousSibling")},nextAll:function(a){return u(a,"nextSibling")},prevAll:function(a){return u(a,"previousSibling")},nextUntil:function(a,b,c){return u(a,"nextSibling",c)},prevUntil:function(a,b,c){return u(a,"previousSibling",c)},siblings:function(a){return v((a.parentNode||{}).firstChild,a)},children:function(a){return v(a.firstChild)},contents:function(a){return n.nodeName(a,"iframe")?a.contentDocument||a.contentWindow.document:n.merge([],a.childNodes)}},function(a,b){n.fn[a]=function(c,d){var e=n.map(this,b,c);return"Until"!==a.slice(-5)&&(d=c),d&&"string"==typeof d&&(e=n.filter(d,e)),this.length>1&&(E[a]||(e=n.uniqueSort(e)),D.test(a)&&(e=e.reverse())),this.pushStack(e)}});var G=/\S+/g;function H(a){var b={};return n.each(a.match(G)||[],function(a,c){b[c]=!0}),b}n.Callbacks=function(a){a="string"==typeof a?H(a):n.extend({},a);var b,c,d,e,f=[],g=[],h=-1,i=function(){for(e=a.once,d=b=!0;g.length;h=-1){c=g.shift();while(++h<f.length)f[h].apply(c[0],c[1])===!1&&a.stopOnFalse&&(h=f.length,c=!1)}a.memory||(c=!1),b=!1,e&&(f=c?[]:"")},j={add:function(){return f&&(c&&!b&&(h=f.length-1,g.push(c)),function d(b){n.each(b,function(b,c){n.isFunction(c)?a.unique&&j.has(c)||f.push(c):c&&c.length&&"string"!==n.type(c)&&d(c)})}(arguments),c&&!b&&i()),this},remove:function(){return n.each(arguments,function(a,b){var c;while((c=n.inArray(b,f,c))>-1)f.splice(c,1),h>=c&&h--}),this},has:function(a){return a?n.inArray(a,f)>-1:f.length>0},empty:function(){return f&&(f=[]),this},disable:function(){return e=g=[],f=c="",this},disabled:function(){return!f},lock:function(){return e=!0,c||j.disable(),this},locked:function(){return!!e},fireWith:function(a,c){return e||(c=c||[],c=[a,c.slice?c.slice():c],g.push(c),b||i()),this},fire:function(){return j.fireWith(this,arguments),this},fired:function(){return!!d}};return j},n.extend({Deferred:function(a){var b=[["resolve","done",n.Callbacks("once memory"),"resolved"],["reject","fail",n.Callbacks("once memory"),"rejected"],["notify","progress",n.Callbacks("memory")]],c="pending",d={state:function(){return c},always:function(){return e.done(arguments).fail(arguments),this},then:function(){var a=arguments;return n.Deferred(function(c){n.each(b,function(b,f){var g=n.isFunction(a[b])&&a[b];e[f[1]](function(){var a=g&&g.apply(this,arguments);a&&n.isFunction(a.promise)?a.promise().progress(c.notify).done(c.resolve).fail(c.reject):c[f[0]+"With"](this===d?c.promise():this,g?[a]:arguments)})}),a=null}).promise()},promise:function(a){return null!=a?n.extend(a,d):d}},e={};return d.pipe=d.then,n.each(b,function(a,f){var g=f[2],h=f[3];d[f[1]]=g.add,h&&g.add(function(){c=h},b[1^a][2].disable,b[2][2].lock),e[f[0]]=function(){return e[f[0]+"With"](this===e?d:this,arguments),this},e[f[0]+"With"]=g.fireWith}),d.promise(e),a&&a.call(e,e),e},when:function(a){var b=0,c=e.call(arguments),d=c.length,f=1!==d||a&&n.isFunction(a.promise)?d:0,g=1===f?a:n.Deferred(),h=function(a,b,c){return function(d){b[a]=this,c[a]=arguments.length>1?e.call(arguments):d,c===i?g.notifyWith(b,c):--f||g.resolveWith(b,c)}},i,j,k;if(d>1)for(i=new Array(d),j=new Array(d),k=new Array(d);d>b;b++)c[b]&&n.isFunction(c[b].promise)?c[b].promise().progress(h(b,j,i)).done(h(b,k,c)).fail(g.reject):--f;return f||g.resolveWith(k,c),g.promise()}});var I;n.fn.ready=function(a){return n.ready.promise().done(a),this},n.extend({isReady:!1,readyWait:1,holdReady:function(a){a?n.readyWait++:n.ready(!0)},ready:function(a){(a===!0?--n.readyWait:n.isReady)||(n.isReady=!0,a!==!0&&--n.readyWait>0||(I.resolveWith(d,[n]),n.fn.triggerHandler&&(n(d).triggerHandler("ready"),n(d).off("ready"))))}});function J(){d.addEventListener?(d.removeEventListener("DOMContentLoaded",K),a.removeEventListener("load",K)):(d.detachEvent("onreadystatechange",K),a.detachEvent("onload",K))}function K(){(d.addEventListener||"load"===a.event.type||"complete"===d.readyState)&&(J(),n.ready())}n.ready.promise=function(b){if(!I)if(I=n.Deferred(),"complete"===d.readyState||"loading"!==d.readyState&&!d.documentElement.doScroll)a.setTimeout(n.ready);else if(d.addEventListener)d.addEventListener("DOMContentLoaded",K),a.addEventListener("load",K);else{d.attachEvent("onreadystatechange",K),a.attachEvent("onload",K);var c=!1;try{c=null==a.frameElement&&d.documentElement}catch(e){}c&&c.doScroll&&!function f(){if(!n.isReady){try{c.doScroll("left")}catch(b){return a.setTimeout(f,50)}J(),n.ready()}}()}return I.promise(b)},n.ready.promise();var L;for(L in n(l))break;l.ownFirst="0"===L,l.inlineBlockNeedsLayout=!1,n(function(){var a,b,c,e;c=d.getElementsByTagName("body")[0],c&&c.style&&(b=d.createElement("div"),e=d.createElement("div"),e.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(e).appendChild(b),"undefined"!=typeof b.style.zoom&&(b.style.cssText="display:inline;margin:0;border:0;padding:1px;width:1px;zoom:1",l.inlineBlockNeedsLayout=a=3===b.offsetWidth,a&&(c.style.zoom=1)),c.removeChild(e))}),function(){var a=d.createElement("div");l.deleteExpando=!0;try{delete a.test}catch(b){l.deleteExpando=!1}a=null}();var M=function(a){var b=n.noData[(a.nodeName+" ").toLowerCase()],c=+a.nodeType||1;return 1!==c&&9!==c?!1:!b||b!==!0&&a.getAttribute("classid")===b},N=/^(?:\{[\w\W]*\}|\[[\w\W]*\])$/,O=/([A-Z])/g;function P(a,b,c){if(void 0===c&&1===a.nodeType){var d="data-"+b.replace(O,"-$1").toLowerCase();if(c=a.getAttribute(d),"string"==typeof c){try{c="true"===c?!0:"false"===c?!1:"null"===c?null:+c+""===c?+c:N.test(c)?n.parseJSON(c):c}catch(e){}n.data(a,b,c)}else c=void 0; >}return c}function Q(a){var b;for(b in a)if(("data"!==b||!n.isEmptyObject(a[b]))&&"toJSON"!==b)return!1;return!0}function R(a,b,d,e){if(M(a)){var f,g,h=n.expando,i=a.nodeType,j=i?n.cache:a,k=i?a[h]:a[h]&&h;if(k&&j[k]&&(e||j[k].data)||void 0!==d||"string"!=typeof b)return k||(k=i?a[h]=c.pop()||n.guid++:h),j[k]||(j[k]=i?{}:{toJSON:n.noop}),"object"!=typeof b&&"function"!=typeof b||(e?j[k]=n.extend(j[k],b):j[k].data=n.extend(j[k].data,b)),g=j[k],e||(g.data||(g.data={}),g=g.data),void 0!==d&&(g[n.camelCase(b)]=d),"string"==typeof b?(f=g[b],null==f&&(f=g[n.camelCase(b)])):f=g,f}}function S(a,b,c){if(M(a)){var d,e,f=a.nodeType,g=f?n.cache:a,h=f?a[n.expando]:n.expando;if(g[h]){if(b&&(d=c?g[h]:g[h].data)){n.isArray(b)?b=b.concat(n.map(b,n.camelCase)):b in d?b=[b]:(b=n.camelCase(b),b=b in d?[b]:b.split(" ")),e=b.length;while(e--)delete d[b[e]];if(c?!Q(d):!n.isEmptyObject(d))return}(c||(delete g[h].data,Q(g[h])))&&(f?n.cleanData([a],!0):l.deleteExpando||g!=g.window?delete g[h]:g[h]=void 0)}}}n.extend({cache:{},noData:{"applet ":!0,"embed ":!0,"object ":"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"},hasData:function(a){return a=a.nodeType?n.cache[a[n.expando]]:a[n.expando],!!a&&!Q(a)},data:function(a,b,c){return R(a,b,c)},removeData:function(a,b){return S(a,b)},_data:function(a,b,c){return R(a,b,c,!0)},_removeData:function(a,b){return S(a,b,!0)}}),n.fn.extend({data:function(a,b){var c,d,e,f=this[0],g=f&&f.attributes;if(void 0===a){if(this.length&&(e=n.data(f),1===f.nodeType&&!n._data(f,"parsedAttrs"))){c=g.length;while(c--)g[c]&&(d=g[c].name,0===d.indexOf("data-")&&(d=n.camelCase(d.slice(5)),P(f,d,e[d])));n._data(f,"parsedAttrs",!0)}return e}return"object"==typeof a?this.each(function(){n.data(this,a)}):arguments.length>1?this.each(function(){n.data(this,a,b)}):f?P(f,a,n.data(f,a)):void 0},removeData:function(a){return this.each(function(){n.removeData(this,a)})}}),n.extend({queue:function(a,b,c){var d;return a?(b=(b||"fx")+"queue",d=n._data(a,b),c&&(!d||n.isArray(c)?d=n._data(a,b,n.makeArray(c)):d.push(c)),d||[]):void 0},dequeue:function(a,b){b=b||"fx";var c=n.queue(a,b),d=c.length,e=c.shift(),f=n._queueHooks(a,b),g=function(){n.dequeue(a,b)};"inprogress"===e&&(e=c.shift(),d--),e&&("fx"===b&&c.unshift("inprogress"),delete f.stop,e.call(a,g,f)),!d&&f&&f.empty.fire()},_queueHooks:function(a,b){var c=b+"queueHooks";return n._data(a,c)||n._data(a,c,{empty:n.Callbacks("once memory").add(function(){n._removeData(a,b+"queue"),n._removeData(a,c)})})}}),n.fn.extend({queue:function(a,b){var c=2;return"string"!=typeof a&&(b=a,a="fx",c--),arguments.length<c?n.queue(this[0],a):void 0===b?this:this.each(function(){var c=n.queue(this,a,b);n._queueHooks(this,a),"fx"===a&&"inprogress"!==c[0]&&n.dequeue(this,a)})},dequeue:function(a){return this.each(function(){n.dequeue(this,a)})},clearQueue:function(a){return this.queue(a||"fx",[])},promise:function(a,b){var c,d=1,e=n.Deferred(),f=this,g=this.length,h=function(){--d||e.resolveWith(f,[f])};"string"!=typeof a&&(b=a,a=void 0),a=a||"fx";while(g--)c=n._data(f[g],a+"queueHooks"),c&&c.empty&&(d++,c.empty.add(h));return h(),e.promise(b)}}),function(){var a;l.shrinkWrapBlocks=function(){if(null!=a)return a;a=!1;var b,c,e;return c=d.getElementsByTagName("body")[0],c&&c.style?(b=d.createElement("div"),e=d.createElement("div"),e.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(e).appendChild(b),"undefined"!=typeof b.style.zoom&&(b.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:1px;width:1px;zoom:1",b.appendChild(d.createElement("div")).style.width="5px",a=3!==b.offsetWidth),c.removeChild(e),a):void 0}}();var T=/[+-]?(?:\d*\.|)\d+(?:[eE][+-]?\d+|)/.source,U=new RegExp("^(?:([+-])=|)("+T+")([a-z%]*)$","i"),V=["Top","Right","Bottom","Left"],W=function(a,b){return a=b||a,"none"===n.css(a,"display")||!n.contains(a.ownerDocument,a)};function X(a,b,c,d){var e,f=1,g=20,h=d?function(){return d.cur()}:function(){return n.css(a,b,"")},i=h(),j=c&&c[3]||(n.cssNumber[b]?"":"px"),k=(n.cssNumber[b]||"px"!==j&&+i)&&U.exec(n.css(a,b));if(k&&k[3]!==j){j=j||k[3],c=c||[],k=+i||1;do f=f||".5",k/=f,n.style(a,b,k+j);while(f!==(f=h()/i)&&1!==f&&--g)}return c&&(k=+k||+i||0,e=c[1]?k+(c[1]+1)*c[2]:+c[2],d&&(d.unit=j,d.start=k,d.end=e)),e}var Y=function(a,b,c,d,e,f,g){var h=0,i=a.length,j=null==c;if("object"===n.type(c)){e=!0;for(h in c)Y(a,b,h,c[h],!0,f,g)}else if(void 0!==d&&(e=!0,n.isFunction(d)||(g=!0),j&&(g?(b.call(a,d),b=null):(j=b,b=function(a,b,c){return j.call(n(a),c)})),b))for(;i>h;h++)b(a[h],c,g?d:d.call(a[h],h,b(a[h],c)));return e?a:j?b.call(a):i?b(a[0],c):f},Z=/^(?:checkbox|radio)$/i,$=/<([\w:-]+)/,_=/^$|\/(?:java|ecma)script/i,aa=/^\s+/,ba="abbr|article|aside|audio|bdi|canvas|data|datalist|details|dialog|figcaption|figure|footer|header|hgroup|main|mark|meter|nav|output|picture|progress|section|summary|template|time|video";function ca(a){var b=ba.split("|"),c=a.createDocumentFragment();if(c.createElement)while(b.length)c.createElement(b.pop());return c}!function(){var a=d.createElement("div"),b=d.createDocumentFragment(),c=d.createElement("input");a.innerHTML=" <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",l.leadingWhitespace=3===a.firstChild.nodeType,l.tbody=!a.getElementsByTagName("tbody").length,l.htmlSerialize=!!a.getElementsByTagName("link").length,l.html5Clone="<:nav></:nav>"!==d.createElement("nav").cloneNode(!0).outerHTML,c.type="checkbox",c.checked=!0,b.appendChild(c),l.appendChecked=c.checked,a.innerHTML="<textarea>x</textarea>",l.noCloneChecked=!!a.cloneNode(!0).lastChild.defaultValue,b.appendChild(a),c=d.createElement("input"),c.setAttribute("type","radio"),c.setAttribute("checked","checked"),c.setAttribute("name","t"),a.appendChild(c),l.checkClone=a.cloneNode(!0).cloneNode(!0).lastChild.checked,l.noCloneEvent=!!a.addEventListener,a[n.expando]=1,l.attributes=!a.getAttribute(n.expando)}();var da={option:[1,"<select multiple='multiple'>","</select>"],legend:[1,"<fieldset>","</fieldset>"],area:[1,"<map>","</map>"],param:[1,"<object>","</object>"],thead:[1,"<table>","</table>"],tr:[2,"<table><tbody>","</tbody></table>"],col:[2,"<table><tbody></tbody><colgroup>","</colgroup></table>"],td:[3,"<table><tbody><tr>","</tr></tbody></table>"],_default:l.htmlSerialize?[0,"",""]:[1,"X<div>","</div>"]};da.optgroup=da.option,da.tbody=da.tfoot=da.colgroup=da.caption=da.thead,da.th=da.td;function ea(a,b){var c,d,e=0,f="undefined"!=typeof a.getElementsByTagName?a.getElementsByTagName(b||"*"):"undefined"!=typeof a.querySelectorAll?a.querySelectorAll(b||"*"):void 0;if(!f)for(f=[],c=a.childNodes||a;null!=(d=c[e]);e++)!b||n.nodeName(d,b)?f.push(d):n.merge(f,ea(d,b));return void 0===b||b&&n.nodeName(a,b)?n.merge([a],f):f}function fa(a,b){for(var c,d=0;null!=(c=a[d]);d++)n._data(c,"globalEval",!b||n._data(b[d],"globalEval"))}var ga=/<|&#?\w+;/,ha=/<tbody/i;function ia(a){Z.test(a.type)&&(a.defaultChecked=a.checked)}function ja(a,b,c,d,e){for(var f,g,h,i,j,k,m,o=a.length,p=ca(b),q=[],r=0;o>r;r++)if(g=a[r],g||0===g)if("object"===n.type(g))n.merge(q,g.nodeType?[g]:g);else if(ga.test(g)){i=i||p.appendChild(b.createElement("div")),j=($.exec(g)||["",""])[1].toLowerCase(),m=da[j]||da._default,i.innerHTML=m[1]+n.htmlPrefilter(g)+m[2],f=m[0];while(f--)i=i.lastChild;if(!l.leadingWhitespace&&aa.test(g)&&q.push(b.createTextNode(aa.exec(g)[0])),!l.tbody){g="table"!==j||ha.test(g)?"<table>"!==m[1]||ha.test(g)?0:i:i.firstChild,f=g&&g.childNodes.length;while(f--)n.nodeName(k=g.childNodes[f],"tbody")&&!k.childNodes.length&&g.removeChild(k)}n.merge(q,i.childNodes),i.textContent="";while(i.firstChild)i.removeChild(i.firstChild);i=p.lastChild}else q.push(b.createTextNode(g));i&&p.removeChild(i),l.appendChecked||n.grep(ea(q,"input"),ia),r=0;while(g=q[r++])if(d&&n.inArray(g,d)>-1)e&&e.push(g);else if(h=n.contains(g.ownerDocument,g),i=ea(p.appendChild(g),"script"),h&&fa(i),c){f=0;while(g=i[f++])_.test(g.type||"")&&c.push(g)}return i=null,p}!function(){var b,c,e=d.createElement("div");for(b in{submit:!0,change:!0,focusin:!0})c="on"+b,(l[b]=c in a)||(e.setAttribute(c,"t"),l[b]=e.attributes[c].expando===!1);e=null}();var ka=/^(?:input|select|textarea)$/i,la=/^key/,ma=/^(?:mouse|pointer|contextmenu|drag|drop)|click/,na=/^(?:focusinfocus|focusoutblur)$/,oa=/^([^.]*)(?:\.(.+)|)/;function pa(){return!0}function qa(){return!1}function ra(){try{return d.activeElement}catch(a){}}function sa(a,b,c,d,e,f){var g,h;if("object"==typeof b){"string"!=typeof c&&(d=d||c,c=void 0);for(h in b)sa(a,h,c,d,b[h],f);return a}if(null==d&&null==e?(e=c,d=c=void 0):null==e&&("string"==typeof c?(e=d,d=void 0):(e=d,d=c,c=void 0)),e===!1)e=qa;else if(!e)return a;return 1===f&&(g=e,e=function(a){return n().off(a),g.apply(this,arguments)},e.guid=g.guid||(g.guid=n.guid++)),a.each(function(){n.event.add(this,b,e,d,c)})}n.event={global:{},add:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=n._data(a);if(r){c.handler&&(i=c,c=i.handler,e=i.selector),c.guid||(c.guid=n.guid++),(g=r.events)||(g=r.events={}),(k=r.handle)||(k=r.handle=function(a){return"undefined"==typeof n||a&&n.event.triggered===a.type?void 0:n.event.dispatch.apply(k.elem,arguments)},k.elem=a),b=(b||"").match(G)||[""],h=b.length;while(h--)f=oa.exec(b[h])||[],o=q=f[1],p=(f[2]||"").split(".").sort(),o&&(j=n.event.special[o]||{},o=(e?j.delegateType:j.bindType)||o,j=n.event.special[o]||{},l=n.extend({type:o,origType:q,data:d,handler:c,guid:c.guid,selector:e,needsContext:e&&n.expr.match.needsContext.test(e),namespace:p.join(".")},i),(m=g[o])||(m=g[o]=[],m.delegateCount=0,j.setup&&j.setup.call(a,d,p,k)!==!1||(a.addEventListener?a.addEventListener(o,k,!1):a.attachEvent&&a.attachEvent("on"+o,k))),j.add&&(j.add.call(a,l),l.handler.guid||(l.handler.guid=c.guid)),e?m.splice(m.delegateCount++,0,l):m.push(l),n.event.global[o]=!0);a=null}},remove:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=n.hasData(a)&&n._data(a);if(r&&(k=r.events)){b=(b||"").match(G)||[""],j=b.length;while(j--)if(h=oa.exec(b[j])||[],o=q=h[1],p=(h[2]||"").split(".").sort(),o){l=n.event.special[o]||{},o=(d?l.delegateType:l.bindType)||o,m=k[o]||[],h=h[2]&&new RegExp("(^|\\.)"+p.join("\\.(?:.*\\.|)")+"(\\.|$)"),i=f=m.length;while(f--)g=m[f],!e&&q!==g.origType||c&&c.guid!==g.guid||h&&!h.test(g.namespace)||d&&d!==g.selector&&("**"!==d||!g.selector)||(m.splice(f,1),g.selector&&m.delegateCount--,l.remove&&l.remove.call(a,g));i&&!m.length&&(l.teardown&&l.teardown.call(a,p,r.handle)!==!1||n.removeEvent(a,o,r.handle),delete k[o])}else for(o in k)n.event.remove(a,o+b[j],c,d,!0);n.isEmptyObject(k)&&(delete r.handle,n._removeData(a,"events"))}},trigger:function(b,c,e,f){var g,h,i,j,l,m,o,p=[e||d],q=k.call(b,"type")?b.type:b,r=k.call(b,"namespace")?b.namespace.split("."):[];if(i=m=e=e||d,3!==e.nodeType&&8!==e.nodeType&&!na.test(q+n.event.triggered)&&(q.indexOf(".")>-1&&(r=q.split("."),q=r.shift(),r.sort()),h=q.indexOf(":")<0&&"on"+q,b=b[n.expando]?b:new n.Event(q,"object"==typeof b&&b),b.isTrigger=f?2:3,b.namespace=r.join("."),b.rnamespace=b.namespace?new RegExp("(^|\\.)"+r.join("\\.(?:.*\\.|)")+"(\\.|$)"):null,b.result=void 0,b.target||(b.target=e),c=null==c?[b]:n.makeArray(c,[b]),l=n.event.special[q]||{},f||!l.trigger||l.trigger.apply(e,c)!==!1)){if(!f&&!l.noBubble&&!n.isWindow(e)){for(j=l.delegateType||q,na.test(j+q)||(i=i.parentNode);i;i=i.parentNode)p.push(i),m=i;m===(e.ownerDocument||d)&&p.push(m.defaultView||m.parentWindow||a)}o=0;while((i=p[o++])&&!b.isPropagationStopped())b.type=o>1?j:l.bindType||q,g=(n._data(i,"events")||{})[b.type]&&n._data(i,"handle"),g&&g.apply(i,c),g=h&&i[h],g&&g.apply&&M(i)&&(b.result=g.apply(i,c),b.result===!1&&b.preventDefault());if(b.type=q,!f&&!b.isDefaultPrevented()&&(!l._default||l._default.apply(p.pop(),c)===!1)&&M(e)&&h&&e[q]&&!n.isWindow(e)){m=e[h],m&&(e[h]=null),n.event.triggered=q;try{e[q]()}catch(s){}n.event.triggered=void 0,m&&(e[h]=m)}return b.result}},dispatch:function(a){a=n.event.fix(a);var b,c,d,f,g,h=[],i=e.call(arguments),j=(n._data(this,"events")||{})[a.type]||[],k=n.event.special[a.type]||{};if(i[0]=a,a.delegateTarget=this,!k.preDispatch||k.preDispatch.call(this,a)!==!1){h=n.event.handlers.call(this,a,j),b=0;while((f=h[b++])&&!a.isPropagationStopped()){a.currentTarget=f.elem,c=0;while((g=f.handlers[c++])&&!a.isImmediatePropagationStopped())a.rnamespace&&!a.rnamespace.test(g.namespace)||(a.handleObj=g,a.data=g.data,d=((n.event.special[g.origType]||{}).handle||g.handler).apply(f.elem,i),void 0!==d&&(a.result=d)===!1&&(a.preventDefault(),a.stopPropagation()))}return k.postDispatch&&k.postDispatch.call(this,a),a.result}},handlers:function(a,b){var c,d,e,f,g=[],h=b.delegateCount,i=a.target;if(h&&i.nodeType&&("click"!==a.type||isNaN(a.button)||a.button<1))for(;i!=this;i=i.parentNode||this)if(1===i.nodeType&&(i.disabled!==!0||"click"!==a.type)){for(d=[],c=0;h>c;c++)f=b[c],e=f.selector+" ",void 0===d[e]&&(d[e]=f.needsContext?n(e,this).index(i)>-1:n.find(e,this,null,[i]).length),d[e]&&d.push(f);d.length&&g.push({elem:i,handlers:d})}return h<b.length&&g.push({elem:this,handlers:b.slice(h)}),g},fix:function(a){if(a[n.expando])return a;var b,c,e,f=a.type,g=a,h=this.fixHooks[f];h||(this.fixHooks[f]=h=ma.test(f)?this.mouseHooks:la.test(f)?this.keyHooks:{}),e=h.props?this.props.concat(h.props):this.props,a=new n.Event(g),b=e.length;while(b--)c=e[b],a[c]=g[c];return a.target||(a.target=g.srcElement||d),3===a.target.nodeType&&(a.target=a.target.parentNode),a.metaKey=!!a.metaKey,h.filter?h.filter(a,g):a},props:"altKey bubbles cancelable ctrlKey currentTarget detail eventPhase metaKey relatedTarget shiftKey target timeStamp view which".split(" "),fixHooks:{},keyHooks:{props:"char charCode key keyCode".split(" "),filter:function(a,b){return null==a.which&&(a.which=null!=b.charCode?b.charCode:b.keyCode),a}},mouseHooks:{props:"button buttons clientX clientY fromElement offsetX offsetY pageX pageY screenX screenY toElement".split(" "),filter:function(a,b){var c,e,f,g=b.button,h=b.fromElement;return null==a.pageX&&null!=b.clientX&&(e=a.target.ownerDocument||d,f=e.documentElement,c=e.body,a.pageX=b.clientX+(f&&f.scrollLeft||c&&c.scrollLeft||0)-(f&&f.clientLeft||c&&c.clientLeft||0),a.pageY=b.clientY+(f&&f.scrollTop||c&&c.scrollTop||0)-(f&&f.clientTop||c&&c.clientTop||0)),!a.relatedTarget&&h&&(a.relatedTarget=h===a.target?b.toElement:h),a.which||void 0===g||(a.which=1&g?1:2&g?3:4&g?2:0),a}},special:{load:{noBubble:!0},focus:{trigger:function(){if(this!==ra()&&this.focus)try{return this.focus(),!1}catch(a){}},delegateType:"focusin"},blur:{trigger:function(){return this===ra()&&this.blur?(this.blur(),!1):void 0},delegateType:"focusout"},click:{trigger:function(){return n.nodeName(this,"input")&&"checkbox"===this.type&&this.click?(this.click(),!1):void 0},_default:function(a){return n.nodeName(a.target,"a")}},beforeunload:{postDispatch:function(a){void 0!==a.result&&a.originalEvent&&(a.originalEvent.returnValue=a.result)}}},simulate:function(a,b,c){var d=n.extend(new n.Event,c,{type:a,isSimulated:!0});n.event.trigger(d,null,b),d.isDefaultPrevented()&&c.preventDefault()}},n.removeEvent=d.removeEventListener?function(a,b,c){a.removeEventListener&&a.removeEventListener(b,c)}:function(a,b,c){var d="on"+b;a.detachEvent&&("undefined"==typeof a[d]&&(a[d]=null),a.detachEvent(d,c))},n.Event=function(a,b){return this instanceof n.Event?(a&&a.type?(this.originalEvent=a,this.type=a.type,this.isDefaultPrevented=a.defaultPrevented||void 0===a.defaultPrevented&&a.returnValue===!1?pa:qa):this.type=a,b&&n.extend(this,b),this.timeStamp=a&&a.timeStamp||n.now(),void(this[n.expando]=!0)):new n.Event(a,b)},n.Event.prototype={constructor:n.Event,isDefaultPrevented:qa,isPropagationStopped:qa,isImmediatePropagationStopped:qa,preventDefault:function(){var a=this.originalEvent;this.isDefaultPrevented=pa,a&&(a.preventDefault?a.preventDefault():a.returnValue=!1)},stopPropagation:function(){var a=this.originalEvent;this.isPropagationStopped=pa,a&&!this.isSimulated&&(a.stopPropagation&&a.stopPropagation(),a.cancelBubble=!0)},stopImmediatePropagation:function(){var a=this.originalEvent;this.isImmediatePropagationStopped=pa,a&&a.stopImmediatePropagation&&a.stopImmediatePropagation(),this.stopPropagation()}},n.each({mouseenter:"mouseover",mouseleave:"mouseout",pointerenter:"pointerover",pointerleave:"pointerout"},function(a,b){n.event.special[a]={delegateType:b,bindType:b,handle:function(a){var c,d=this,e=a.relatedTarget,f=a.handleObj;return e&&(e===d||n.contains(d,e))||(a.type=f.origType,c=f.handler.apply(this,arguments),a.type=b),c}}}),l.submit||(n.event.special.submit={setup:function(){return n.nodeName(this,"form")?!1:void n.event.add(this,"click._submit keypress._submit",function(a){var b=a.target,c=n.nodeName(b,"input")||n.nodeName(b,"button")?n.prop(b,"form"):void 0;c&&!n._data(c,"submit")&&(n.event.add(c,"submit._submit",function(a){a._submitBubble=!0}),n._data(c,"submit",!0))})},postDispatch:function(a){a._submitBubble&&(delete a._submitBubble,this.parentNode&&!a.isTrigger&&n.event.simulate("submit",this.parentNode,a))},teardown:function(){return n.nodeName(this,"form")?!1:void n.event.remove(this,"._submit")}}),l.change||(n.event.special.change={setup:function(){return ka.test(this.nodeName)?("checkbox"!==this.type&&"radio"!==this.type||(n.event.add(this,"propertychange._change",function(a){"checked"===a.originalEvent.propertyName&&(this._justChanged=!0)}),n.event.add(this,"click._change",function(a){this._justChanged&&!a.isTrigger&&(this._justChanged=!1),n.event.simulate("change",this,a)})),!1):void n.event.add(this,"beforeactivate._change",function(a){var b=a.target;ka.test(b.nodeName)&&!n._data(b,"change")&&(n.event.add(b,"change._change",function(a){!this.parentNode||a.isSimulated||a.isTrigger||n.event.simulate("change",this.parentNode,a)}),n._data(b,"change",!0))})},handle:function(a){var b=a.target;return this!==b||a.isSimulated||a.isTrigger||"radio"!==b.type&&"checkbox"!==b.type?a.handleObj.handler.apply(this,arguments):void 0},teardown:function(){return n.event.remove(this,"._change"),!ka.test(this.nodeName)}}),l.focusin||n.each({focus:"focusin",blur:"focusout"},function(a,b){var c=function(a){n.event.simulate(b,a.target,n.event.fix(a))};n.event.special[b]={setup:function(){var d=this.ownerDocument||this,e=n._data(d,b);e||d.addEventListener(a,c,!0),n._data(d,b,(e||0)+1)},teardown:function(){var d=this.ownerDocument||this,e=n._data(d,b)-1;e?n._data(d,b,e):(d.removeEventListener(a,c,!0),n._removeData(d,b))}}}),n.fn.extend({on:function(a,b,c,d){return sa(this,a,b,c,d)},one:function(a,b,c,d){return sa(this,a,b,c,d,1)},off:function(a,b,c){var d,e;if(a&&a.preventDefault&&a.handleObj)return d=a.handleObj,n(a.delegateTarget).off(d.namespace?d.origType+"."+d.namespace:d.origType,d.selector,d.handler),this;if("object"==typeof a){for(e in a)this.off(e,b,a[e]);return this}return b!==!1&&"function"!=typeof b||(c=b,b=void 0),c===!1&&(c=qa),this.each(function(){n.event.remove(this,a,c,b)})},trigger:function(a,b){return this.each(function(){n.event.trigger(a,b,this)})},triggerHandler:function(a,b){var c=this[0];return c?n.event.trigger(a,b,c,!0):void 0}});var ta=/ jQuery\d+="(?:null|\d+)"/g,ua=new RegExp("<(?:"+ba+")[\\s/>]","i"),va=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi,wa=/<script|<style|<link/i,xa=/checked\s*(?:[^=]|=\s*.checked.)/i,ya=/^true\/(.*)/,za=/^\s*<!(?:\[CDATA\[|--)|(?:\]\]|--)>\s*$/g,Aa=ca(d),Ba=Aa.appendChild(d.createElement("div"));function Ca(a,b){return n.nodeName(a,"table")&&n.nodeName(11!==b.nodeType?b:b.firstChild,"tr")?a.getElementsByTagName("tbody")[0]||a.appendChild(a.ownerDocument.createElement("tbody")):a}function Da(a){return a.type=(null!==n.find.attr(a,"type"))+"/"+a.type,a}function Ea(a){var b=ya.exec(a.type);return b?a.type=b[1]:a.removeAttribute("type"),a}function Fa(a,b){if(1===b.nodeType&&n.hasData(a)){var c,d,e,f=n._data(a),g=n._data(b,f),h=f.events;if(h){delete g.handle,g.events={};for(c in h)for(d=0,e=h[c].length;e>d;d++)n.event.add(b,c,h[c][d])}g.data&&(g.data=n.extend({},g.data))}}function Ga(a,b){var c,d,e;if(1===b.nodeType){if(c=b.nodeName.toLowerCase(),!l.noCloneEvent&&b[n.expando]){e=n._data(b);for(d in e.events)n.removeEvent(b,d,e.handle);b.removeAttribute(n.expando)}"script"===c&&b.text!==a.text?(Da(b).text=a.text,Ea(b)):"object"===c?(b.parentNode&&(b.outerHTML=a.outerHTML),l.html5Clone&&a.innerHTML&&!n.trim(b.innerHTML)&&(b.innerHTML=a.innerHTML)):"input"===c&&Z.test(a.type)?(b.defaultChecked=b.checked=a.checked,b.value!==a.value&&(b.value=a.value)):"option"===c?b.defaultSelected=b.selected=a.defaultSelected:"input"!==c&&"textarea"!==c||(b.defaultValue=a.defaultValue)}}function Ha(a,b,c,d){b=f.apply([],b);var e,g,h,i,j,k,m=0,o=a.length,p=o-1,q=b[0],r=n.isFunction(q);if(r||o>1&&"string"==typeof q&&!l.checkClone&&xa.test(q))return a.each(function(e){var f=a.eq(e);r&&(b[0]=q.call(this,e,f.html())),Ha(f,b,c,d)});if(o&&(k=ja(b,a[0].ownerDocument,!1,a,d),e=k.firstChild,1===k.childNodes.length&&(k=e),e||d)){for(i=n.map(ea(k,"script"),Da),h=i.length;o>m;m++)g=k,m!==p&&(g=n.clone(g,!0,!0),h&&n.merge(i,ea(g,"script"))),c.call(a[m],g,m);if(h)for(j=i[i.length-1].ownerDocument,n.map(i,Ea),m=0;h>m;m++)g=i[m],_.test(g.type||"")&&!n._data(g,"globalEval")&&n.contains(j,g)&&(g.src?n._evalUrl&&n._evalUrl(g.src):n.globalEval((g.text||g.textContent||g.innerHTML||"").replace(za,"")));k=e=null}return a}function Ia(a,b,c){for(var d,e=b?n.filter(b,a):a,f=0;null!=(d=e[f]);f++)c||1!==d.nodeType||n.cleanData(ea(d)),d.parentNode&&(c&&n.contains(d.ownerDocument,d)&&fa(ea(d,"script")),d.parentNode.removeChild(d));return a}n.extend({htmlPrefilter:function(a){return a.replace(va,"<$1></$2>")},clone:function(a,b,c){var d,e,f,g,h,i=n.contains(a.ownerDocument,a);if(l.html5Clone||n.isXMLDoc(a)||!ua.test("<"+a.nodeName+">")?f=a.cloneNode(!0):(Ba.innerHTML=a.outerHTML,Ba.removeChild(f=Ba.firstChild)),!(l.noCloneEvent&&l.noCloneChecked||1!==a.nodeType&&11!==a.nodeType||n.isXMLDoc(a)))for(d=ea(f),h=ea(a),g=0;null!=(e=h[g]);++g)d[g]&&Ga(e,d[g]);if(b)if(c)for(h=h||ea(a),d=d||ea(f),g=0;null!=(e=h[g]);g++)Fa(e,d[g]);else Fa(a,f);return d=ea(f,"script"),d.length>0&&fa(d,!i&&ea(a,"script")),d=h=e=null,f},cleanData:function(a,b){for(var d,e,f,g,h=0,i=n.expando,j=n.cache,k=l.attributes,m=n.event.special;null!=(d=a[h]);h++)if((b||M(d))&&(f=d[i],g=f&&j[f])){if(g.events)for(e in g.events)m[e]?n.event.remove(d,e):n.removeEvent(d,e,g.handle);j[f]&&(delete j[f],k||"undefined"==typeof d.removeAttribute?d[i]=void 0:d.removeAttribute(i),c.push(f))}}}),n.fn.extend({domManip:Ha,detach:function(a){return Ia(this,a,!0)},remove:function(a){return Ia(this,a)},text:function(a){return Y(this,function(a){return void 0===a?n.text(this):this.empty().append((this[0]&&this[0].ownerDocument||d).createTextNode(a))},null,a,arguments.length)},append:function(){return Ha(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Ca(this,a);b.appendChild(a)}})},prepend:function(){return Ha(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Ca(this,a);b.insertBefore(a,b.firstChild)}})},before:function(){return Ha(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this)})},after:function(){return Ha(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this.nextSibling)})},empty:function(){for(var a,b=0;null!=(a=this[b]);b++){1===a.nodeType&&n.cleanData(ea(a,!1));while(a.firstChild)a.removeChild(a.firstChild);a.options&&n.nodeName(a,"select")&&(a.options.length=0)}return this},clone:function(a,b){return a=null==a?!1:a,b=null==b?a:b,this.map(function(){return n.clone(this,a,b)})},html:function(a){return Y(this,function(a){var b=this[0]||{},c=0,d=this.length;if(void 0===a)return 1===b.nodeType?b.innerHTML.replace(ta,""):void 0;if("string"==typeof a&&!wa.test(a)&&(l.htmlSerialize||!ua.test(a))&&(l.leadingWhitespace||!aa.test(a))&&!da[($.exec(a)||["",""])[1].toLowerCase()]){a=n.htmlPrefilter(a);try{for(;d>c;c++)b=this[c]||{},1===b.nodeType&&(n.cleanData(ea(b,!1)),b.innerHTML=a);b=0}catch(e){}}b&&this.empty().append(a)},null,a,arguments.length)},replaceWith:function(){var a=[];return Ha(this,arguments,function(b){var c=this.parentNode;n.inArray(this,a)<0&&(n.cleanData(ea(this)),c&&c.replaceChild(b,this))},a)}}),n.each({appendTo:"append",prependTo:"prepend",insertBefore:"before",insertAfter:"after",replaceAll:"replaceWith"},function(a,b){n.fn[a]=function(a){for(var c,d=0,e=[],f=n(a),h=f.length-1;h>=d;d++)c=d===h?this:this.clone(!0),n(f[d])[b](c),g.apply(e,c.get());return this.pushStack(e)}});var Ja,Ka={HTML:"block",BODY:"block"};function La(a,b){var c=n(b.createElement(a)).appendTo(b.body),d=n.css(c[0],"display");return c.detach(),d}function Ma(a){var b=d,c=Ka[a];return c||(c=La(a,b),"none"!==c&&c||(Ja=(Ja||n("<iframe frameborder='0' width='0' height='0'/>")).appendTo(b.documentElement),b=(Ja[0].contentWindow||Ja[0].contentDocument).document,b.write(),b.close(),c=La(a,b),Ja.detach()),Ka[a]=c),c}var Na=/^margin/,Oa=new RegExp("^("+T+")(?!px)[a-z%]+$","i"),Pa=function(a,b,c,d){var e,f,g={};for(f in b)g[f]=a.style[f],a.style[f]=b[f];e=c.apply(a,d||[]);for(f in b)a.style[f]=g[f];return e},Qa=d.documentElement;!function(){var b,c,e,f,g,h,i=d.createElement("div"),j=d.createElement("div");if(j.style){j.style.cssText="float:left;opacity:.5",l.opacity="0.5"===j.style.opacity,l.cssFloat=!!j.style.cssFloat,j.style.backgroundClip="content-box",j.cloneNode(!0).style.backgroundClip="",l.clearCloneStyle="content-box"===j.style.backgroundClip,i=d.createElement("div"),i.style.cssText="border:0;width:8px;height:0;top:0;left:-9999px;padding:0;margin-top:1px;position:absolute",j.innerHTML="",i.appendChild(j),l.boxSizing=""===j.style.boxSizing||""===j.style.MozBoxSizing||""===j.style.WebkitBoxSizing,n.extend(l,{reliableHiddenOffsets:function(){return null==b&&k(),f},boxSizingReliable:function(){return null==b&&k(),e},pixelMarginRight:function(){return null==b&&k(),c},pixelPosition:function(){return null==b&&k(),b},reliableMarginRight:function(){return null==b&&k(),g},reliableMarginLeft:function(){return null==b&&k(),h}});function k(){var k,l,m=d.documentElement;m.appendChild(i),j.style.cssText="-webkit-box-sizing:border-box;box-sizing:border-box;position:relative;display:block;margin:auto;border:1px;padding:1px;top:1%;width:50%",b=e=h=!1,c=g=!0,a.getComputedStyle&&(l=a.getComputedStyle(j),b="1%"!==(l||{}).top,h="2px"===(l||{}).marginLeft,e="4px"===(l||{width:"4px"}).width,j.style.marginRight="50%",c="4px"===(l||{marginRight:"4px"}).marginRight,k=j.appendChild(d.createElement("div")),k.style.cssText=j.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:0",k.style.marginRight=k.style.width="0",j.style.width="1px",g=!parseFloat((a.getComputedStyle(k)||{}).marginRight),j.removeChild(k)),j.style.display="none",f=0===j.getClientRects().length,f&&(j.style.display="",j.innerHTML="<table><tr><td></td><td>t</td></tr></table>",j.childNodes[0].style.borderCollapse="separate",k=j.getElementsByTagName("td"),k[0].style.cssText="margin:0;border:0;padding:0;display:none",f=0===k[0].offsetHeight,f&&(k[0].style.display="",k[1].style.display="none",f=0===k[0].offsetHeight)),m.removeChild(i)}}}();var Ra,Sa,Ta=/^(top|right|bottom|left)$/;a.getComputedStyle?(Ra=function(b){var c=b.ownerDocument.defaultView;return c&&c.opener||(c=a),c.getComputedStyle(b)},Sa=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ra(a),g=c?c.getPropertyValue(b)||c[b]:void 0,""!==g&&void 0!==g||n.contains(a.ownerDocument,a)||(g=n.style(a,b)),c&&!l.pixelMarginRight()&&Oa.test(g)&&Na.test(b)&&(d=h.width,e=h.minWidth,f=h.maxWidth,h.minWidth=h.maxWidth=h.width=g,g=c.width,h.width=d,h.minWidth=e,h.maxWidth=f),void 0===g?g:g+""}):Qa.currentStyle&&(Ra=function(a){return a.currentStyle},Sa=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ra(a),g=c?c[b]:void 0,null==g&&h&&h[b]&&(g=h[b]),Oa.test(g)&&!Ta.test(b)&&(d=h.left,e=a.runtimeStyle,f=e&&e.left,f&&(e.left=a.currentStyle.left),h.left="fontSize"===b?"1em":g,g=h.pixelLeft+"px",h.left=d,f&&(e.left=f)),void 0===g?g:g+""||"auto"});function Ua(a,b){return{get:function(){return a()?void delete this.get:(this.get=b).apply(this,arguments)}}}var Va=/alpha\([^)]*\)/i,Wa=/opacity\s*=\s*([^)]*)/i,Xa=/^(none|table(?!-c[ea]).+)/,Ya=new RegExp("^("+T+")(.*)$","i"),Za={position:"absolute",visibility:"hidden",display:"block"},$a={letterSpacing:"0",fontWeight:"400"},_a=["Webkit","O","Moz","ms"],ab=d.createElement("div").style;function bb(a){if(a in ab)return a;var b=a.charAt(0).toUpperCase()+a.slice(1),c=_a.length;while(c--)if(a=_a[c]+b,a in ab)return a}function cb(a,b){for(var c,d,e,f=[],g=0,h=a.length;h>g;g++)d=a[g],d.style&&(f[g]=n._data(d,"olddisplay"),c=d.style.display,b?(f[g]||"none"!==c||(d.style.display=""),""===d.style.display&&W(d)&&(f[g]=n._data(d,"olddisplay",Ma(d.nodeName)))):(e=W(d),(c&&"none"!==c||!e)&&n._data(d,"olddisplay",e?c:n.css(d,"display"))));for(g=0;h>g;g++)d=a[g],d.style&&(b&&"none"!==d.style.display&&""!==d.style.display||(d.style.display=b?f[g]||"":"none"));return a}function db(a,b,c){var d=Ya.exec(b);return d?Math.max(0,d[1]-(c||0))+(d[2]||"px"):b}function eb(a,b,c,d,e){for(var f=c===(d?"border":"content")?4:"width"===b?1:0,g=0;4>f;f+=2)"margin"===c&&(g+=n.css(a,c+V[f],!0,e)),d?("content"===c&&(g-=n.css(a,"padding"+V[f],!0,e)),"margin"!==c&&(g-=n.css(a,"border"+V[f]+"Width",!0,e))):(g+=n.css(a,"padding"+V[f],!0,e),"padding"!==c&&(g+=n.css(a,"border"+V[f]+"Width",!0,e)));return g}function fb(a,b,c){var d=!0,e="width"===b?a.offsetWidth:a.offsetHeight,f=Ra(a),g=l.boxSizing&&"border-box"===n.css(a,"boxSizing",!1,f);if(0>=e||null==e){if(e=Sa(a,b,f),(0>e||null==e)&&(e=a.style[b]),Oa.test(e))return e;d=g&&(l.boxSizingReliable()||e===a.style[b]),e=parseFloat(e)||0}return e+eb(a,b,c||(g?"border":"content"),d,f)+"px"}n.extend({cssHooks:{opacity:{get:function(a,b){if(b){var c=Sa(a,"opacity");return""===c?"1":c}}}},cssNumber:{animationIterationCount:!0,columnCount:!0,fillOpacity:!0,flexGrow:!0,flexShrink:!0,fontWeight:!0,lineHeight:!0,opacity:!0,order:!0,orphans:!0,widows:!0,zIndex:!0,zoom:!0},cssProps:{"float":l.cssFloat?"cssFloat":"styleFloat"},style:function(a,b,c,d){if(a&&3!==a.nodeType&&8!==a.nodeType&&a.style){var e,f,g,h=n.camelCase(b),i=a.style;if(b=n.cssProps[h]||(n.cssProps[h]=bb(h)||h),g=n.cssHooks[b]||n.cssHooks[h],void 0===c)return g&&"get"in g&&void 0!==(e=g.get(a,!1,d))?e:i[b];if(f=typeof c,"string"===f&&(e=U.exec(c))&&e[1]&&(c=X(a,b,e),f="number"),null!=c&&c===c&&("number"===f&&(c+=e&&e[3]||(n.cssNumber[h]?"":"px")),l.clearCloneStyle||""!==c||0!==b.indexOf("background")||(i[b]="inherit"),!(g&&"set"in g&&void 0===(c=g.set(a,c,d)))))try{i[b]=c}catch(j){}}},css:function(a,b,c,d){var e,f,g,h=n.camelCase(b);return b=n.cssProps[h]||(n.cssProps[h]=bb(h)||h),g=n.cssHooks[b]||n.cssHooks[h],g&&"get"in g&&(f=g.get(a,!0,c)),void 0===f&&(f=Sa(a,b,d)),"normal"===f&&b in $a&&(f=$a[b]),""===c||c?(e=parseFloat(f),c===!0||isFinite(e)?e||0:f):f}}),n.each(["height","width"],function(a,b){n.cssHooks[b]={get:function(a,c,d){return c?Xa.test(n.css(a,"display"))&&0===a.offsetWidth?Pa(a,Za,function(){return fb(a,b,d)}):fb(a,b,d):void 0},set:function(a,c,d){var e=d&&Ra(a);return db(a,c,d?eb(a,b,d,l.boxSizing&&"border-box"===n.css(a,"boxSizing",!1,e),e):0)}}}),l.opacity||(n.cssHooks.opacity={get:function(a,b){return Wa.test((b&&a.currentStyle?a.currentStyle.filter:a.style.filter)||"")?.01*parseFloat(RegExp.$1)+"":b?"1":""},set:function(a,b){var c=a.style,d=a.currentStyle,e=n.isNumeric(b)?"alpha(opacity="+100*b+")":"",f=d&&d.filter||c.filter||"";c.zoom=1,(b>=1||""===b)&&""===n.trim(f.replace(Va,""))&&c.removeAttribute&&(c.removeAttribute("filter"),""===b||d&&!d.filter)||(c.filter=Va.test(f)?f.replace(Va,e):f+" "+e)}}),n.cssHooks.marginRight=Ua(l.reliableMarginRight,function(a,b){return b?Pa(a,{display:"inline-block"},Sa,[a,"marginRight"]):void 0}),n.cssHooks.marginLeft=Ua(l.reliableMarginLeft,function(a,b){return b?(parseFloat(Sa(a,"marginLeft"))||(n.contains(a.ownerDocument,a)?a.getBoundingClientRect().left-Pa(a,{ >marginLeft:0},function(){return a.getBoundingClientRect().left}):0))+"px":void 0}),n.each({margin:"",padding:"",border:"Width"},function(a,b){n.cssHooks[a+b]={expand:function(c){for(var d=0,e={},f="string"==typeof c?c.split(" "):[c];4>d;d++)e[a+V[d]+b]=f[d]||f[d-2]||f[0];return e}},Na.test(a)||(n.cssHooks[a+b].set=db)}),n.fn.extend({css:function(a,b){return Y(this,function(a,b,c){var d,e,f={},g=0;if(n.isArray(b)){for(d=Ra(a),e=b.length;e>g;g++)f[b[g]]=n.css(a,b[g],!1,d);return f}return void 0!==c?n.style(a,b,c):n.css(a,b)},a,b,arguments.length>1)},show:function(){return cb(this,!0)},hide:function(){return cb(this)},toggle:function(a){return"boolean"==typeof a?a?this.show():this.hide():this.each(function(){W(this)?n(this).show():n(this).hide()})}});function gb(a,b,c,d,e){return new gb.prototype.init(a,b,c,d,e)}n.Tween=gb,gb.prototype={constructor:gb,init:function(a,b,c,d,e,f){this.elem=a,this.prop=c,this.easing=e||n.easing._default,this.options=b,this.start=this.now=this.cur(),this.end=d,this.unit=f||(n.cssNumber[c]?"":"px")},cur:function(){var a=gb.propHooks[this.prop];return a&&a.get?a.get(this):gb.propHooks._default.get(this)},run:function(a){var b,c=gb.propHooks[this.prop];return this.options.duration?this.pos=b=n.easing[this.easing](a,this.options.duration*a,0,1,this.options.duration):this.pos=b=a,this.now=(this.end-this.start)*b+this.start,this.options.step&&this.options.step.call(this.elem,this.now,this),c&&c.set?c.set(this):gb.propHooks._default.set(this),this}},gb.prototype.init.prototype=gb.prototype,gb.propHooks={_default:{get:function(a){var b;return 1!==a.elem.nodeType||null!=a.elem[a.prop]&&null==a.elem.style[a.prop]?a.elem[a.prop]:(b=n.css(a.elem,a.prop,""),b&&"auto"!==b?b:0)},set:function(a){n.fx.step[a.prop]?n.fx.step[a.prop](a):1!==a.elem.nodeType||null==a.elem.style[n.cssProps[a.prop]]&&!n.cssHooks[a.prop]?a.elem[a.prop]=a.now:n.style(a.elem,a.prop,a.now+a.unit)}}},gb.propHooks.scrollTop=gb.propHooks.scrollLeft={set:function(a){a.elem.nodeType&&a.elem.parentNode&&(a.elem[a.prop]=a.now)}},n.easing={linear:function(a){return a},swing:function(a){return.5-Math.cos(a*Math.PI)/2},_default:"swing"},n.fx=gb.prototype.init,n.fx.step={};var hb,ib,jb=/^(?:toggle|show|hide)$/,kb=/queueHooks$/;function lb(){return a.setTimeout(function(){hb=void 0}),hb=n.now()}function mb(a,b){var c,d={height:a},e=0;for(b=b?1:0;4>e;e+=2-b)c=V[e],d["margin"+c]=d["padding"+c]=a;return b&&(d.opacity=d.width=a),d}function nb(a,b,c){for(var d,e=(qb.tweeners[b]||[]).concat(qb.tweeners["*"]),f=0,g=e.length;g>f;f++)if(d=e[f].call(c,b,a))return d}function ob(a,b,c){var d,e,f,g,h,i,j,k,m=this,o={},p=a.style,q=a.nodeType&&W(a),r=n._data(a,"fxshow");c.queue||(h=n._queueHooks(a,"fx"),null==h.unqueued&&(h.unqueued=0,i=h.empty.fire,h.empty.fire=function(){h.unqueued||i()}),h.unqueued++,m.always(function(){m.always(function(){h.unqueued--,n.queue(a,"fx").length||h.empty.fire()})})),1===a.nodeType&&("height"in b||"width"in b)&&(c.overflow=[p.overflow,p.overflowX,p.overflowY],j=n.css(a,"display"),k="none"===j?n._data(a,"olddisplay")||Ma(a.nodeName):j,"inline"===k&&"none"===n.css(a,"float")&&(l.inlineBlockNeedsLayout&&"inline"!==Ma(a.nodeName)?p.zoom=1:p.display="inline-block")),c.overflow&&(p.overflow="hidden",l.shrinkWrapBlocks()||m.always(function(){p.overflow=c.overflow[0],p.overflowX=c.overflow[1],p.overflowY=c.overflow[2]}));for(d in b)if(e=b[d],jb.exec(e)){if(delete b[d],f=f||"toggle"===e,e===(q?"hide":"show")){if("show"!==e||!r||void 0===r[d])continue;q=!0}o[d]=r&&r[d]||n.style(a,d)}else j=void 0;if(n.isEmptyObject(o))"inline"===("none"===j?Ma(a.nodeName):j)&&(p.display=j);else{r?"hidden"in r&&(q=r.hidden):r=n._data(a,"fxshow",{}),f&&(r.hidden=!q),q?n(a).show():m.done(function(){n(a).hide()}),m.done(function(){var b;n._removeData(a,"fxshow");for(b in o)n.style(a,b,o[b])});for(d in o)g=nb(q?r[d]:0,d,m),d in r||(r[d]=g.start,q&&(g.end=g.start,g.start="width"===d||"height"===d?1:0))}}function pb(a,b){var c,d,e,f,g;for(c in a)if(d=n.camelCase(c),e=b[d],f=a[c],n.isArray(f)&&(e=f[1],f=a[c]=f[0]),c!==d&&(a[d]=f,delete a[c]),g=n.cssHooks[d],g&&"expand"in g){f=g.expand(f),delete a[d];for(c in f)c in a||(a[c]=f[c],b[c]=e)}else b[d]=e}function qb(a,b,c){var d,e,f=0,g=qb.prefilters.length,h=n.Deferred().always(function(){delete i.elem}),i=function(){if(e)return!1;for(var b=hb||lb(),c=Math.max(0,j.startTime+j.duration-b),d=c/j.duration||0,f=1-d,g=0,i=j.tweens.length;i>g;g++)j.tweens[g].run(f);return h.notifyWith(a,[j,f,c]),1>f&&i?c:(h.resolveWith(a,[j]),!1)},j=h.promise({elem:a,props:n.extend({},b),opts:n.extend(!0,{specialEasing:{},easing:n.easing._default},c),originalProperties:b,originalOptions:c,startTime:hb||lb(),duration:c.duration,tweens:[],createTween:function(b,c){var d=n.Tween(a,j.opts,b,c,j.opts.specialEasing[b]||j.opts.easing);return j.tweens.push(d),d},stop:function(b){var c=0,d=b?j.tweens.length:0;if(e)return this;for(e=!0;d>c;c++)j.tweens[c].run(1);return b?(h.notifyWith(a,[j,1,0]),h.resolveWith(a,[j,b])):h.rejectWith(a,[j,b]),this}}),k=j.props;for(pb(k,j.opts.specialEasing);g>f;f++)if(d=qb.prefilters[f].call(j,a,k,j.opts))return n.isFunction(d.stop)&&(n._queueHooks(j.elem,j.opts.queue).stop=n.proxy(d.stop,d)),d;return n.map(k,nb,j),n.isFunction(j.opts.start)&&j.opts.start.call(a,j),n.fx.timer(n.extend(i,{elem:a,anim:j,queue:j.opts.queue})),j.progress(j.opts.progress).done(j.opts.done,j.opts.complete).fail(j.opts.fail).always(j.opts.always)}n.Animation=n.extend(qb,{tweeners:{"*":[function(a,b){var c=this.createTween(a,b);return X(c.elem,a,U.exec(b),c),c}]},tweener:function(a,b){n.isFunction(a)?(b=a,a=["*"]):a=a.match(G);for(var c,d=0,e=a.length;e>d;d++)c=a[d],qb.tweeners[c]=qb.tweeners[c]||[],qb.tweeners[c].unshift(b)},prefilters:[ob],prefilter:function(a,b){b?qb.prefilters.unshift(a):qb.prefilters.push(a)}}),n.speed=function(a,b,c){var d=a&&"object"==typeof a?n.extend({},a):{complete:c||!c&&b||n.isFunction(a)&&a,duration:a,easing:c&&b||b&&!n.isFunction(b)&&b};return d.duration=n.fx.off?0:"number"==typeof d.duration?d.duration:d.duration in n.fx.speeds?n.fx.speeds[d.duration]:n.fx.speeds._default,null!=d.queue&&d.queue!==!0||(d.queue="fx"),d.old=d.complete,d.complete=function(){n.isFunction(d.old)&&d.old.call(this),d.queue&&n.dequeue(this,d.queue)},d},n.fn.extend({fadeTo:function(a,b,c,d){return this.filter(W).css("opacity",0).show().end().animate({opacity:b},a,c,d)},animate:function(a,b,c,d){var e=n.isEmptyObject(a),f=n.speed(b,c,d),g=function(){var b=qb(this,n.extend({},a),f);(e||n._data(this,"finish"))&&b.stop(!0)};return g.finish=g,e||f.queue===!1?this.each(g):this.queue(f.queue,g)},stop:function(a,b,c){var d=function(a){var b=a.stop;delete a.stop,b(c)};return"string"!=typeof a&&(c=b,b=a,a=void 0),b&&a!==!1&&this.queue(a||"fx",[]),this.each(function(){var b=!0,e=null!=a&&a+"queueHooks",f=n.timers,g=n._data(this);if(e)g[e]&&g[e].stop&&d(g[e]);else for(e in g)g[e]&&g[e].stop&&kb.test(e)&&d(g[e]);for(e=f.length;e--;)f[e].elem!==this||null!=a&&f[e].queue!==a||(f[e].anim.stop(c),b=!1,f.splice(e,1));!b&&c||n.dequeue(this,a)})},finish:function(a){return a!==!1&&(a=a||"fx"),this.each(function(){var b,c=n._data(this),d=c[a+"queue"],e=c[a+"queueHooks"],f=n.timers,g=d?d.length:0;for(c.finish=!0,n.queue(this,a,[]),e&&e.stop&&e.stop.call(this,!0),b=f.length;b--;)f[b].elem===this&&f[b].queue===a&&(f[b].anim.stop(!0),f.splice(b,1));for(b=0;g>b;b++)d[b]&&d[b].finish&&d[b].finish.call(this);delete c.finish})}}),n.each(["toggle","show","hide"],function(a,b){var c=n.fn[b];n.fn[b]=function(a,d,e){return null==a||"boolean"==typeof a?c.apply(this,arguments):this.animate(mb(b,!0),a,d,e)}}),n.each({slideDown:mb("show"),slideUp:mb("hide"),slideToggle:mb("toggle"),fadeIn:{opacity:"show"},fadeOut:{opacity:"hide"},fadeToggle:{opacity:"toggle"}},function(a,b){n.fn[a]=function(a,c,d){return this.animate(b,a,c,d)}}),n.timers=[],n.fx.tick=function(){var a,b=n.timers,c=0;for(hb=n.now();c<b.length;c++)a=b[c],a()||b[c]!==a||b.splice(c--,1);b.length||n.fx.stop(),hb=void 0},n.fx.timer=function(a){n.timers.push(a),a()?n.fx.start():n.timers.pop()},n.fx.interval=13,n.fx.start=function(){ib||(ib=a.setInterval(n.fx.tick,n.fx.interval))},n.fx.stop=function(){a.clearInterval(ib),ib=null},n.fx.speeds={slow:600,fast:200,_default:400},n.fn.delay=function(b,c){return b=n.fx?n.fx.speeds[b]||b:b,c=c||"fx",this.queue(c,function(c,d){var e=a.setTimeout(c,b);d.stop=function(){a.clearTimeout(e)}})},function(){var a,b=d.createElement("input"),c=d.createElement("div"),e=d.createElement("select"),f=e.appendChild(d.createElement("option"));c=d.createElement("div"),c.setAttribute("className","t"),c.innerHTML=" <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",a=c.getElementsByTagName("a")[0],b.setAttribute("type","checkbox"),c.appendChild(b),a=c.getElementsByTagName("a")[0],a.style.cssText="top:1px",l.getSetAttribute="t"!==c.className,l.style=/top/.test(a.getAttribute("style")),l.hrefNormalized="/a"===a.getAttribute("href"),l.checkOn=!!b.value,l.optSelected=f.selected,l.enctype=!!d.createElement("form").enctype,e.disabled=!0,l.optDisabled=!f.disabled,b=d.createElement("input"),b.setAttribute("value",""),l.input=""===b.getAttribute("value"),b.value="t",b.setAttribute("type","radio"),l.radioValue="t"===b.value}();var rb=/\r/g,sb=/[\x20\t\r\n\f]+/g;n.fn.extend({val:function(a){var b,c,d,e=this[0];{if(arguments.length)return d=n.isFunction(a),this.each(function(c){var e;1===this.nodeType&&(e=d?a.call(this,c,n(this).val()):a,null==e?e="":"number"==typeof e?e+="":n.isArray(e)&&(e=n.map(e,function(a){return null==a?"":a+""})),b=n.valHooks[this.type]||n.valHooks[this.nodeName.toLowerCase()],b&&"set"in b&&void 0!==b.set(this,e,"value")||(this.value=e))});if(e)return b=n.valHooks[e.type]||n.valHooks[e.nodeName.toLowerCase()],b&&"get"in b&&void 0!==(c=b.get(e,"value"))?c:(c=e.value,"string"==typeof c?c.replace(rb,""):null==c?"":c)}}}),n.extend({valHooks:{option:{get:function(a){var b=n.find.attr(a,"value");return null!=b?b:n.trim(n.text(a)).replace(sb," ")}},select:{get:function(a){for(var b,c,d=a.options,e=a.selectedIndex,f="select-one"===a.type||0>e,g=f?null:[],h=f?e+1:d.length,i=0>e?h:f?e:0;h>i;i++)if(c=d[i],(c.selected||i===e)&&(l.optDisabled?!c.disabled:null===c.getAttribute("disabled"))&&(!c.parentNode.disabled||!n.nodeName(c.parentNode,"optgroup"))){if(b=n(c).val(),f)return b;g.push(b)}return g},set:function(a,b){var c,d,e=a.options,f=n.makeArray(b),g=e.length;while(g--)if(d=e[g],n.inArray(n.valHooks.option.get(d),f)>-1)try{d.selected=c=!0}catch(h){d.scrollHeight}else d.selected=!1;return c||(a.selectedIndex=-1),e}}}}),n.each(["radio","checkbox"],function(){n.valHooks[this]={set:function(a,b){return n.isArray(b)?a.checked=n.inArray(n(a).val(),b)>-1:void 0}},l.checkOn||(n.valHooks[this].get=function(a){return null===a.getAttribute("value")?"on":a.value})});var tb,ub,vb=n.expr.attrHandle,wb=/^(?:checked|selected)$/i,xb=l.getSetAttribute,yb=l.input;n.fn.extend({attr:function(a,b){return Y(this,n.attr,a,b,arguments.length>1)},removeAttr:function(a){return this.each(function(){n.removeAttr(this,a)})}}),n.extend({attr:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return"undefined"==typeof a.getAttribute?n.prop(a,b,c):(1===f&&n.isXMLDoc(a)||(b=b.toLowerCase(),e=n.attrHooks[b]||(n.expr.match.bool.test(b)?ub:tb)),void 0!==c?null===c?void n.removeAttr(a,b):e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:(a.setAttribute(b,c+""),c):e&&"get"in e&&null!==(d=e.get(a,b))?d:(d=n.find.attr(a,b),null==d?void 0:d))},attrHooks:{type:{set:function(a,b){if(!l.radioValue&&"radio"===b&&n.nodeName(a,"input")){var c=a.value;return a.setAttribute("type",b),c&&(a.value=c),b}}}},removeAttr:function(a,b){var c,d,e=0,f=b&&b.match(G);if(f&&1===a.nodeType)while(c=f[e++])d=n.propFix[c]||c,n.expr.match.bool.test(c)?yb&&xb||!wb.test(c)?a[d]=!1:a[n.camelCase("default-"+c)]=a[d]=!1:n.attr(a,c,""),a.removeAttribute(xb?c:d)}}),ub={set:function(a,b,c){return b===!1?n.removeAttr(a,c):yb&&xb||!wb.test(c)?a.setAttribute(!xb&&n.propFix[c]||c,c):a[n.camelCase("default-"+c)]=a[c]=!0,c}},n.each(n.expr.match.bool.source.match(/\w+/g),function(a,b){var c=vb[b]||n.find.attr;yb&&xb||!wb.test(b)?vb[b]=function(a,b,d){var e,f;return d||(f=vb[b],vb[b]=e,e=null!=c(a,b,d)?b.toLowerCase():null,vb[b]=f),e}:vb[b]=function(a,b,c){return c?void 0:a[n.camelCase("default-"+b)]?b.toLowerCase():null}}),yb&&xb||(n.attrHooks.value={set:function(a,b,c){return n.nodeName(a,"input")?void(a.defaultValue=b):tb&&tb.set(a,b,c)}}),xb||(tb={set:function(a,b,c){var d=a.getAttributeNode(c);return d||a.setAttributeNode(d=a.ownerDocument.createAttribute(c)),d.value=b+="","value"===c||b===a.getAttribute(c)?b:void 0}},vb.id=vb.name=vb.coords=function(a,b,c){var d;return c?void 0:(d=a.getAttributeNode(b))&&""!==d.value?d.value:null},n.valHooks.button={get:function(a,b){var c=a.getAttributeNode(b);return c&&c.specified?c.value:void 0},set:tb.set},n.attrHooks.contenteditable={set:function(a,b,c){tb.set(a,""===b?!1:b,c)}},n.each(["width","height"],function(a,b){n.attrHooks[b]={set:function(a,c){return""===c?(a.setAttribute(b,"auto"),c):void 0}}})),l.style||(n.attrHooks.style={get:function(a){return a.style.cssText||void 0},set:function(a,b){return a.style.cssText=b+""}});var zb=/^(?:input|select|textarea|button|object)$/i,Ab=/^(?:a|area)$/i;n.fn.extend({prop:function(a,b){return Y(this,n.prop,a,b,arguments.length>1)},removeProp:function(a){return a=n.propFix[a]||a,this.each(function(){try{this[a]=void 0,delete this[a]}catch(b){}})}}),n.extend({prop:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return 1===f&&n.isXMLDoc(a)||(b=n.propFix[b]||b,e=n.propHooks[b]),void 0!==c?e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:a[b]=c:e&&"get"in e&&null!==(d=e.get(a,b))?d:a[b]},propHooks:{tabIndex:{get:function(a){var b=n.find.attr(a,"tabindex");return b?parseInt(b,10):zb.test(a.nodeName)||Ab.test(a.nodeName)&&a.href?0:-1}}},propFix:{"for":"htmlFor","class":"className"}}),l.hrefNormalized||n.each(["href","src"],function(a,b){n.propHooks[b]={get:function(a){return a.getAttribute(b,4)}}}),l.optSelected||(n.propHooks.selected={get:function(a){var b=a.parentNode;return b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex),null},set:function(a){var b=a.parentNode;b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex)}}),n.each(["tabIndex","readOnly","maxLength","cellSpacing","cellPadding","rowSpan","colSpan","useMap","frameBorder","contentEditable"],function(){n.propFix[this.toLowerCase()]=this}),l.enctype||(n.propFix.enctype="encoding");var Bb=/[\t\r\n\f]/g;function Cb(a){return n.attr(a,"class")||""}n.fn.extend({addClass:function(a){var b,c,d,e,f,g,h,i=0;if(n.isFunction(a))return this.each(function(b){n(this).addClass(a.call(this,b,Cb(this)))});if("string"==typeof a&&a){b=a.match(G)||[];while(c=this[i++])if(e=Cb(c),d=1===c.nodeType&&(" "+e+" ").replace(Bb," ")){g=0;while(f=b[g++])d.indexOf(" "+f+" ")<0&&(d+=f+" ");h=n.trim(d),e!==h&&n.attr(c,"class",h)}}return this},removeClass:function(a){var b,c,d,e,f,g,h,i=0;if(n.isFunction(a))return this.each(function(b){n(this).removeClass(a.call(this,b,Cb(this)))});if(!arguments.length)return this.attr("class","");if("string"==typeof a&&a){b=a.match(G)||[];while(c=this[i++])if(e=Cb(c),d=1===c.nodeType&&(" "+e+" ").replace(Bb," ")){g=0;while(f=b[g++])while(d.indexOf(" "+f+" ")>-1)d=d.replace(" "+f+" "," ");h=n.trim(d),e!==h&&n.attr(c,"class",h)}}return this},toggleClass:function(a,b){var c=typeof a;return"boolean"==typeof b&&"string"===c?b?this.addClass(a):this.removeClass(a):n.isFunction(a)?this.each(function(c){n(this).toggleClass(a.call(this,c,Cb(this),b),b)}):this.each(function(){var b,d,e,f;if("string"===c){d=0,e=n(this),f=a.match(G)||[];while(b=f[d++])e.hasClass(b)?e.removeClass(b):e.addClass(b)}else void 0!==a&&"boolean"!==c||(b=Cb(this),b&&n._data(this,"__className__",b),n.attr(this,"class",b||a===!1?"":n._data(this,"__className__")||""))})},hasClass:function(a){var b,c,d=0;b=" "+a+" ";while(c=this[d++])if(1===c.nodeType&&(" "+Cb(c)+" ").replace(Bb," ").indexOf(b)>-1)return!0;return!1}}),n.each("blur focus focusin focusout load resize scroll unload click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup error contextmenu".split(" "),function(a,b){n.fn[b]=function(a,c){return arguments.length>0?this.on(b,null,a,c):this.trigger(b)}}),n.fn.extend({hover:function(a,b){return this.mouseenter(a).mouseleave(b||a)}});var Db=a.location,Eb=n.now(),Fb=/\?/,Gb=/(,)|(\[|{)|(}|])|"(?:[^"\\\r\n]|\\["\\\/bfnrt]|\\u[\da-fA-F]{4})*"\s*:?|true|false|null|-?(?!0\d)\d+(?:\.\d+|)(?:[eE][+-]?\d+|)/g;n.parseJSON=function(b){if(a.JSON&&a.JSON.parse)return a.JSON.parse(b+"");var c,d=null,e=n.trim(b+"");return e&&!n.trim(e.replace(Gb,function(a,b,e,f){return c&&b&&(d=0),0===d?a:(c=e||b,d+=!f-!e,"")}))?Function("return "+e)():n.error("Invalid JSON: "+b)},n.parseXML=function(b){var c,d;if(!b||"string"!=typeof b)return null;try{a.DOMParser?(d=new a.DOMParser,c=d.parseFromString(b,"text/xml")):(c=new a.ActiveXObject("Microsoft.XMLDOM"),c.async="false",c.loadXML(b))}catch(e){c=void 0}return c&&c.documentElement&&!c.getElementsByTagName("parsererror").length||n.error("Invalid XML: "+b),c};var Hb=/#.*$/,Ib=/([?&])_=[^&]*/,Jb=/^(.*?):[ \t]*([^\r\n]*)\r?$/gm,Kb=/^(?:about|app|app-storage|.+-extension|file|res|widget):$/,Lb=/^(?:GET|HEAD)$/,Mb=/^\/\//,Nb=/^([\w.+-]+:)(?:\/\/(?:[^\/?#]*@|)([^\/?#:]*)(?::(\d+)|)|)/,Ob={},Pb={},Qb="*/".concat("*"),Rb=Db.href,Sb=Nb.exec(Rb.toLowerCase())||[];function Tb(a){return function(b,c){"string"!=typeof b&&(c=b,b="*");var d,e=0,f=b.toLowerCase().match(G)||[];if(n.isFunction(c))while(d=f[e++])"+"===d.charAt(0)?(d=d.slice(1)||"*",(a[d]=a[d]||[]).unshift(c)):(a[d]=a[d]||[]).push(c)}}function Ub(a,b,c,d){var e={},f=a===Pb;function g(h){var i;return e[h]=!0,n.each(a[h]||[],function(a,h){var j=h(b,c,d);return"string"!=typeof j||f||e[j]?f?!(i=j):void 0:(b.dataTypes.unshift(j),g(j),!1)}),i}return g(b.dataTypes[0])||!e["*"]&&g("*")}function Vb(a,b){var c,d,e=n.ajaxSettings.flatOptions||{};for(d in b)void 0!==b[d]&&((e[d]?a:c||(c={}))[d]=b[d]);return c&&n.extend(!0,a,c),a}function Wb(a,b,c){var d,e,f,g,h=a.contents,i=a.dataTypes;while("*"===i[0])i.shift(),void 0===e&&(e=a.mimeType||b.getResponseHeader("Content-Type"));if(e)for(g in h)if(h[g]&&h[g].test(e)){i.unshift(g);break}if(i[0]in c)f=i[0];else{for(g in c){if(!i[0]||a.converters[g+" "+i[0]]){f=g;break}d||(d=g)}f=f||d}return f?(f!==i[0]&&i.unshift(f),c[f]):void 0}function Xb(a,b,c,d){var e,f,g,h,i,j={},k=a.dataTypes.slice();if(k[1])for(g in a.converters)j[g.toLowerCase()]=a.converters[g];f=k.shift();while(f)if(a.responseFields[f]&&(c[a.responseFields[f]]=b),!i&&d&&a.dataFilter&&(b=a.dataFilter(b,a.dataType)),i=f,f=k.shift())if("*"===f)f=i;else if("*"!==i&&i!==f){if(g=j[i+" "+f]||j["* "+f],!g)for(e in j)if(h=e.split(" "),h[1]===f&&(g=j[i+" "+h[0]]||j["* "+h[0]])){g===!0?g=j[e]:j[e]!==!0&&(f=h[0],k.unshift(h[1]));break}if(g!==!0)if(g&&a["throws"])b=g(b);else try{b=g(b)}catch(l){return{state:"parsererror",error:g?l:"No conversion from "+i+" to "+f}}}return{state:"success",data:b}}n.extend({active:0,lastModified:{},etag:{},ajaxSettings:{url:Rb,type:"GET",isLocal:Kb.test(Sb[1]),global:!0,processData:!0,async:!0,contentType:"application/x-www-form-urlencoded; charset=UTF-8",accepts:{"*":Qb,text:"text/plain",html:"text/html",xml:"application/xml, text/xml",json:"application/json, text/javascript"},contents:{xml:/\bxml\b/,html:/\bhtml/,json:/\bjson\b/},responseFields:{xml:"responseXML",text:"responseText",json:"responseJSON"},converters:{"* text":String,"text html":!0,"text json":n.parseJSON,"text xml":n.parseXML},flatOptions:{url:!0,context:!0}},ajaxSetup:function(a,b){return b?Vb(Vb(a,n.ajaxSettings),b):Vb(n.ajaxSettings,a)},ajaxPrefilter:Tb(Ob),ajaxTransport:Tb(Pb),ajax:function(b,c){"object"==typeof b&&(c=b,b=void 0),c=c||{};var d,e,f,g,h,i,j,k,l=n.ajaxSetup({},c),m=l.context||l,o=l.context&&(m.nodeType||m.jquery)?n(m):n.event,p=n.Deferred(),q=n.Callbacks("once memory"),r=l.statusCode||{},s={},t={},u=0,v="canceled",w={readyState:0,getResponseHeader:function(a){var b;if(2===u){if(!k){k={};while(b=Jb.exec(g))k[b[1].toLowerCase()]=b[2]}b=k[a.toLowerCase()]}return null==b?null:b},getAllResponseHeaders:function(){return 2===u?g:null},setRequestHeader:function(a,b){var c=a.toLowerCase();return u||(a=t[c]=t[c]||a,s[a]=b),this},overrideMimeType:function(a){return u||(l.mimeType=a),this},statusCode:function(a){var b;if(a)if(2>u)for(b in a)r[b]=[r[b],a[b]];else w.always(a[w.status]);return this},abort:function(a){var b=a||v;return j&&j.abort(b),y(0,b),this}};if(p.promise(w).complete=q.add,w.success=w.done,w.error=w.fail,l.url=((b||l.url||Rb)+"").replace(Hb,"").replace(Mb,Sb[1]+"//"),l.type=c.method||c.type||l.method||l.type,l.dataTypes=n.trim(l.dataType||"*").toLowerCase().match(G)||[""],null==l.crossDomain&&(d=Nb.exec(l.url.toLowerCase()),l.crossDomain=!(!d||d[1]===Sb[1]&&d[2]===Sb[2]&&(d[3]||("http:"===d[1]?"80":"443"))===(Sb[3]||("http:"===Sb[1]?"80":"443")))),l.data&&l.processData&&"string"!=typeof l.data&&(l.data=n.param(l.data,l.traditional)),Ub(Ob,l,c,w),2===u)return w;i=n.event&&l.global,i&&0===n.active++&&n.event.trigger("ajaxStart"),l.type=l.type.toUpperCase(),l.hasContent=!Lb.test(l.type),f=l.url,l.hasContent||(l.data&&(f=l.url+=(Fb.test(f)?"&":"?")+l.data,delete l.data),l.cache===!1&&(l.url=Ib.test(f)?f.replace(Ib,"$1_="+Eb++):f+(Fb.test(f)?"&":"?")+"_="+Eb++)),l.ifModified&&(n.lastModified[f]&&w.setRequestHeader("If-Modified-Since",n.lastModified[f]),n.etag[f]&&w.setRequestHeader("If-None-Match",n.etag[f])),(l.data&&l.hasContent&&l.contentType!==!1||c.contentType)&&w.setRequestHeader("Content-Type",l.contentType),w.setRequestHeader("Accept",l.dataTypes[0]&&l.accepts[l.dataTypes[0]]?l.accepts[l.dataTypes[0]]+("*"!==l.dataTypes[0]?", "+Qb+"; q=0.01":""):l.accepts["*"]);for(e in l.headers)w.setRequestHeader(e,l.headers[e]);if(l.beforeSend&&(l.beforeSend.call(m,w,l)===!1||2===u))return w.abort();v="abort";for(e in{success:1,error:1,complete:1})w[e](l[e]);if(j=Ub(Pb,l,c,w)){if(w.readyState=1,i&&o.trigger("ajaxSend",[w,l]),2===u)return w;l.async&&l.timeout>0&&(h=a.setTimeout(function(){w.abort("timeout")},l.timeout));try{u=1,j.send(s,y)}catch(x){if(!(2>u))throw x;y(-1,x)}}else y(-1,"No Transport");function y(b,c,d,e){var k,s,t,v,x,y=c;2!==u&&(u=2,h&&a.clearTimeout(h),j=void 0,g=e||"",w.readyState=b>0?4:0,k=b>=200&&300>b||304===b,d&&(v=Wb(l,w,d)),v=Xb(l,v,w,k),k?(l.ifModified&&(x=w.getResponseHeader("Last-Modified"),x&&(n.lastModified[f]=x),x=w.getResponseHeader("etag"),x&&(n.etag[f]=x)),204===b||"HEAD"===l.type?y="nocontent":304===b?y="notmodified":(y=v.state,s=v.data,t=v.error,k=!t)):(t=y,!b&&y||(y="error",0>b&&(b=0))),w.status=b,w.statusText=(c||y)+"",k?p.resolveWith(m,[s,y,w]):p.rejectWith(m,[w,y,t]),w.statusCode(r),r=void 0,i&&o.trigger(k?"ajaxSuccess":"ajaxError",[w,l,k?s:t]),q.fireWith(m,[w,y]),i&&(o.trigger("ajaxComplete",[w,l]),--n.active||n.event.trigger("ajaxStop")))}return w},getJSON:function(a,b,c){return n.get(a,b,c,"json")},getScript:function(a,b){return n.get(a,void 0,b,"script")}}),n.each(["get","post"],function(a,b){n[b]=function(a,c,d,e){return n.isFunction(c)&&(e=e||d,d=c,c=void 0),n.ajax(n.extend({url:a,type:b,dataType:e,data:c,success:d},n.isPlainObject(a)&&a))}}),n._evalUrl=function(a){return n.ajax({url:a,type:"GET",dataType:"script",cache:!0,async:!1,global:!1,"throws":!0})},n.fn.extend({wrapAll:function(a){if(n.isFunction(a))return this.each(function(b){n(this).wrapAll(a.call(this,b))});if(this[0]){var b=n(a,this[0].ownerDocument).eq(0).clone(!0);this[0].parentNode&&b.insertBefore(this[0]),b.map(function(){var a=this;while(a.firstChild&&1===a.firstChild.nodeType)a=a.firstChild;return a}).append(this)}return this},wrapInner:function(a){return n.isFunction(a)?this.each(function(b){n(this).wrapInner(a.call(this,b))}):this.each(function(){var b=n(this),c=b.contents();c.length?c.wrapAll(a):b.append(a)})},wrap:function(a){var b=n.isFunction(a);return this.each(function(c){n(this).wrapAll(b?a.call(this,c):a)})},unwrap:function(){return this.parent().each(function(){n.nodeName(this,"body")||n(this).replaceWith(this.childNodes)}).end()}});function Yb(a){return a.style&&a.style.display||n.css(a,"display")}function Zb(a){if(!n.contains(a.ownerDocument||d,a))return!0;while(a&&1===a.nodeType){if("none"===Yb(a)||"hidden"===a.type)return!0;a=a.parentNode}return!1}n.expr.filters.hidden=function(a){return l.reliableHiddenOffsets()?a.offsetWidth<=0&&a.offsetHeight<=0&&!a.getClientRects().length:Zb(a)},n.expr.filters.visible=function(a){return!n.expr.filters.hidden(a)};var $b=/%20/g,_b=/\[\]$/,ac=/\r?\n/g,bc=/^(?:submit|button|image|reset|file)$/i,cc=/^(?:input|select|textarea|keygen)/i;function dc(a,b,c,d){var e;if(n.isArray(b))n.each(b,function(b,e){c||_b.test(a)?d(a,e):dc(a+"["+("object"==typeof e&&null!=e?b:"")+"]",e,c,d)});else if(c||"object"!==n.type(b))d(a,b);else for(e in b)dc(a+"["+e+"]",b[e],c,d)}n.param=function(a,b){var c,d=[],e=function(a,b){b=n.isFunction(b)?b():null==b?"":b,d[d.length]=encodeURIComponent(a)+"="+encodeURIComponent(b)};if(void 0===b&&(b=n.ajaxSettings&&n.ajaxSettings.traditional),n.isArray(a)||a.jquery&&!n.isPlainObject(a))n.each(a,function(){e(this.name,this.value)});else for(c in a)dc(c,a[c],b,e);return d.join("&").replace($b,"+")},n.fn.extend({serialize:function(){return n.param(this.serializeArray())},serializeArray:function(){return this.map(function(){var a=n.prop(this,"elements");return a?n.makeArray(a):this}).filter(function(){var a=this.type;return this.name&&!n(this).is(":disabled")&&cc.test(this.nodeName)&&!bc.test(a)&&(this.checked||!Z.test(a))}).map(function(a,b){var c=n(this).val();return null==c?null:n.isArray(c)?n.map(c,function(a){return{name:b.name,value:a.replace(ac,"\r\n")}}):{name:b.name,value:c.replace(ac,"\r\n")}}).get()}}),n.ajaxSettings.xhr=void 0!==a.ActiveXObject?function(){return this.isLocal?ic():d.documentMode>8?hc():/^(get|post|head|put|delete|options)$/i.test(this.type)&&hc()||ic()}:hc;var ec=0,fc={},gc=n.ajaxSettings.xhr();a.attachEvent&&a.attachEvent("onunload",function(){for(var a in fc)fc[a](void 0,!0)}),l.cors=!!gc&&"withCredentials"in gc,gc=l.ajax=!!gc,gc&&n.ajaxTransport(function(b){if(!b.crossDomain||l.cors){var c;return{send:function(d,e){var f,g=b.xhr(),h=++ec;if(g.open(b.type,b.url,b.async,b.username,b.password),b.xhrFields)for(f in b.xhrFields)g[f]=b.xhrFields[f];b.mimeType&&g.overrideMimeType&&g.overrideMimeType(b.mimeType),b.crossDomain||d["X-Requested-With"]||(d["X-Requested-With"]="XMLHttpRequest");for(f in d)void 0!==d[f]&&g.setRequestHeader(f,d[f]+"");g.send(b.hasContent&&b.data||null),c=function(a,d){var f,i,j;if(c&&(d||4===g.readyState))if(delete fc[h],c=void 0,g.onreadystatechange=n.noop,d)4!==g.readyState&&g.abort();else{j={},f=g.status,"string"==typeof g.responseText&&(j.text=g.responseText);try{i=g.statusText}catch(k){i=""}f||!b.isLocal||b.crossDomain?1223===f&&(f=204):f=j.text?200:404}j&&e(f,i,j,g.getAllResponseHeaders())},b.async?4===g.readyState?a.setTimeout(c):g.onreadystatechange=fc[h]=c:c()},abort:function(){c&&c(void 0,!0)}}}});function hc(){try{return new a.XMLHttpRequest}catch(b){}}function ic(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}n.ajaxSetup({accepts:{script:"text/javascript, application/javascript, application/ecmascript, application/x-ecmascript"},contents:{script:/\b(?:java|ecma)script\b/},converters:{"text script":function(a){return n.globalEval(a),a}}}),n.ajaxPrefilter("script",function(a){void 0===a.cache&&(a.cache=!1),a.crossDomain&&(a.type="GET",a.global=!1)}),n.ajaxTransport("script",function(a){if(a.crossDomain){var b,c=d.head||n("head")[0]||d.documentElement;return{send:function(e,f){b=d.createElement("script"),b.async=!0,a.scriptCharset&&(b.charset=a.scriptCharset),b.src=a.url,b.onload=b.onreadystatechange=function(a,c){(c||!b.readyState||/loaded|complete/.test(b.readyState))&&(b.onload=b.onreadystatechange=null,b.parentNode&&b.parentNode.removeChild(b),b=null,c||f(200,"success"))},c.insertBefore(b,c.firstChild)},abort:function(){b&&b.onload(void 0,!0)}}}});var jc=[],kc=/(=)\?(?=&|$)|\?\?/;n.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var a=jc.pop()||n.expando+"_"+Eb++;return this[a]=!0,a}}),n.ajaxPrefilter("json jsonp",function(b,c,d){var e,f,g,h=b.jsonp!==!1&&(kc.test(b.url)?"url":"string"==typeof b.data&&0===(b.contentType||"").indexOf("application/x-www-form-urlencoded")&&kc.test(b.data)&&"data");return h||"jsonp"===b.dataTypes[0]?(e=b.jsonpCallback=n.isFunction(b.jsonpCallback)?b.jsonpCallback():b.jsonpCallback,h?b[h]=b[h].replace(kc,"$1"+e):b.jsonp!==!1&&(b.url+=(Fb.test(b.url)?"&":"?")+b.jsonp+"="+e),b.converters["script json"]=function(){return g||n.error(e+" was not called"),g[0]},b.dataTypes[0]="json",f=a[e],a[e]=function(){g=arguments},d.always(function(){void 0===f?n(a).removeProp(e):a[e]=f,b[e]&&(b.jsonpCallback=c.jsonpCallback,jc.push(e)),g&&n.isFunction(f)&&f(g[0]),g=f=void 0}),"script"):void 0}),n.parseHTML=function(a,b,c){if(!a||"string"!=typeof a)return null;"boolean"==typeof b&&(c=b,b=!1),b=b||d;var e=x.exec(a),f=!c&&[];return e?[b.createElement(e[1])]:(e=ja([a],b,f),f&&f.length&&n(f).remove(),n.merge([],e.childNodes))};var lc=n.fn.load;n.fn.load=function(a,b,c){if("string"!=typeof a&&lc)return lc.apply(this,arguments);var d,e,f,g=this,h=a.indexOf(" ");return h>-1&&(d=n.trim(a.slice(h,a.length)),a=a.slice(0,h)),n.isFunction(b)?(c=b,b=void 0):b&&"object"==typeof b&&(e="POST"),g.length>0&&n.ajax({url:a,type:e||"GET",dataType:"html",data:b}).done(function(a){f=arguments,g.html(d?n("<div>").append(n.parseHTML(a)).find(d):a)}).always(c&&function(a,b){g.each(function(){c.apply(this,f||[a.responseText,b,a])})}),this},n.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(a,b){n.fn[b]=function(a){return this.on(b,a)}}),n.expr.filters.animated=function(a){return n.grep(n.timers,function(b){return a===b.elem}).length};function mc(a){return n.isWindow(a)?a:9===a.nodeType?a.defaultView||a.parentWindow:!1}n.offset={setOffset:function(a,b,c){var d,e,f,g,h,i,j,k=n.css(a,"position"),l=n(a),m={};"static"===k&&(a.style.position="relative"),h=l.offset(),f=n.css(a,"top"),i=n.css(a,"left"),j=("absolute"===k||"fixed"===k)&&n.inArray("auto",[f,i])>-1,j?(d=l.position(),g=d.top,e=d.left):(g=parseFloat(f)||0,e=parseFloat(i)||0),n.isFunction(b)&&(b=b.call(a,c,n.extend({},h))),null!=b.top&&(m.top=b.top-h.top+g),null!=b.left&&(m.left=b.left-h.left+e),"using"in b?b.using.call(a,m):l.css(m)}},n.fn.extend({offset:function(a){if(arguments.length)return void 0===a?this:this.each(function(b){n.offset.setOffset(this,a,b)});var b,c,d={top:0,left:0},e=this[0],f=e&&e.ownerDocument;if(f)return b=f.documentElement,n.contains(b,e)?("undefined"!=typeof e.getBoundingClientRect&&(d=e.getBoundingClientRect()),c=mc(f),{top:d.top+(c.pageYOffset||b.scrollTop)-(b.clientTop||0),left:d.left+(c.pageXOffset||b.scrollLeft)-(b.clientLeft||0)}):d},position:function(){if(this[0]){var a,b,c={top:0,left:0},d=this[0];return"fixed"===n.css(d,"position")?b=d.getBoundingClientRect():(a=this.offsetParent(),b=this.offset(),n.nodeName(a[0],"html")||(c=a.offset()),c.top+=n.css(a[0],"borderTopWidth",!0),c.left+=n.css(a[0],"borderLeftWidth",!0)),{top:b.top-c.top-n.css(d,"marginTop",!0),left:b.left-c.left-n.css(d,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var a=this.offsetParent;while(a&&!n.nodeName(a,"html")&&"static"===n.css(a,"position"))a=a.offsetParent;return a||Qa})}}),n.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(a,b){var c=/Y/.test(b);n.fn[a]=function(d){return Y(this,function(a,d,e){var f=mc(a);return void 0===e?f?b in f?f[b]:f.document.documentElement[d]:a[d]:void(f?f.scrollTo(c?n(f).scrollLeft():e,c?e:n(f).scrollTop()):a[d]=e)},a,d,arguments.length,null)}}),n.each(["top","left"],function(a,b){n.cssHooks[b]=Ua(l.pixelPosition,function(a,c){return c?(c=Sa(a,b),Oa.test(c)?n(a).position()[b]+"px":c):void 0})}),n.each({Height:"height",Width:"width"},function(a,b){n.each({ >padding:"inner"+a,content:b,"":"outer"+a},function(c,d){n.fn[d]=function(d,e){var f=arguments.length&&(c||"boolean"!=typeof d),g=c||(d===!0||e===!0?"margin":"border");return Y(this,function(b,c,d){var e;return n.isWindow(b)?b.document.documentElement["client"+a]:9===b.nodeType?(e=b.documentElement,Math.max(b.body["scroll"+a],e["scroll"+a],b.body["offset"+a],e["offset"+a],e["client"+a])):void 0===d?n.css(b,c,g):n.style(b,c,d,g)},b,f?d:void 0,f,null)}})}),n.fn.extend({bind:function(a,b,c){return this.on(a,null,b,c)},unbind:function(a,b){return this.off(a,null,b)},delegate:function(a,b,c,d){return this.on(b,a,c,d)},undelegate:function(a,b,c){return 1===arguments.length?this.off(a,"**"):this.off(b,a||"**",c)}}),n.fn.size=function(){return this.length},n.fn.andSelf=n.fn.addBack,"function"==typeof define&&define.amd&&define("jquery",[],function(){return n});var nc=a.jQuery,oc=a.$;return n.noConflict=function(b){return a.$===n&&(a.$=oc),b&&a.jQuery===n&&(a.jQuery=nc),n},b||(a.jQuery=a.$=n),n}); >(function(c){var b,d,a;b=(function(){function e(h,f,g){var j;this.row=h;this.tree=f;this.settings=g;this.id=this.row.data(this.settings.nodeIdAttr);j=this.row.data(this.settings.parentIdAttr);if(j!=null&&j!==""){this.parentId=j}this.treeCell=c(this.row.children(this.settings.columnElType)[this.settings.column]);this.expander=c(this.settings.expanderTemplate);this.indenter=c(this.settings.indenterTemplate);this.children=[];this.initialized=false;this.treeCell.prepend(this.indenter)}e.prototype.addChild=function(f){return this.children.push(f)};e.prototype.ancestors=function(){var f,g;g=this;f=[];while(g=g.parentNode()){f.push(g)}return f};e.prototype.collapse=function(){if(this.collapsed()){return this}this.row.removeClass("expanded").addClass("collapsed");this._hideChildren();this.expander.attr("title",this.settings.stringExpand);if(this.initialized&&this.settings.onNodeCollapse!=null){this.settings.onNodeCollapse.apply(this)}return this};e.prototype.collapsed=function(){return this.row.hasClass("collapsed")};e.prototype.expand=function(){if(this.expanded()){return this}this.row.removeClass("collapsed").addClass("expanded");if(this.initialized&&this.settings.onNodeExpand!=null){this.settings.onNodeExpand.apply(this)}if(c(this.row).is(":visible")){this._showChildren()}this.expander.attr("title",this.settings.stringCollapse);return this};e.prototype.expanded=function(){return this.row.hasClass("expanded")};e.prototype.hide=function(){this._hideChildren();this.row.hide();return this};e.prototype.isBranchNode=function(){if(this.children.length>0||this.row.data(this.settings.branchAttr)===true){return true}else{return false}};e.prototype.updateBranchLeafClass=function(){this.row.removeClass("branch");this.row.removeClass("leaf");this.row.addClass(this.isBranchNode()?"branch":"leaf")};e.prototype.level=function(){return this.ancestors().length};e.prototype.parentNode=function(){if(this.parentId!=null){return this.tree[this.parentId]}else{return null}};e.prototype.removeChild=function(g){var f=c.inArray(g,this.children);return this.children.splice(f,1)};e.prototype.render=function(){var g,f=this.settings,h;if(f.expandable===true&&this.isBranchNode()){g=function(j){c(this).parents("table").treetable("node",c(this).parents("tr").data(f.nodeIdAttr)).toggle();return j.preventDefault()};this.indenter.html(this.expander);h=f.clickableNodeNames===true?this.treeCell:this.expander;h.off("click.treetable").on("click.treetable",g);h.off("keydown.treetable").on("keydown.treetable",function(j){if(j.keyCode==13){g.apply(this,[j])}})}this.indenter[0].style.paddingLeft=""+(this.level()*f.indent)+"px";return this};e.prototype.reveal=function(){if(this.parentId!=null){this.parentNode().reveal()}return this.expand()};e.prototype.setParent=function(f){if(this.parentId!=null){this.tree[this.parentId].removeChild(this)}this.parentId=f.id;this.row.data(this.settings.parentIdAttr,f.id);return f.addChild(this)};e.prototype.show=function(){if(!this.initialized){this._initialize()}this.row.show();if(this.expanded()){this._showChildren()}return this};e.prototype.toggle=function(){if(this.expanded()){this.collapse()}else{this.expand()}return this};e.prototype._hideChildren=function(){var k,j,g,h,f;h=this.children;f=[];for(j=0,g=h.length;j<g;j++){k=h[j];f.push(k.hide())}return f};e.prototype._initialize=function(){var f=this.settings;this.render();if(f.expandable===true&&f.initialState==="collapsed"){this.collapse()}else{this.expand()}if(f.onNodeInitialized!=null){f.onNodeInitialized.apply(this)}return this.initialized=true};e.prototype._showChildren=function(){var k,j,g,h,f;h=this.children;f=[];for(j=0,g=h.length;j<g;j++){k=h[j];f.push(k.show())}return f};return e})();d=(function(){function e(g,f){this.table=g;this.settings=f;this.tree={};this.nodes=[];this.roots=[]}e.prototype.collapseAll=function(){var h,k,g,j,f;j=this.nodes;f=[];for(k=0,g=j.length;k<g;k++){h=j[k];f.push(h.collapse())}return f};e.prototype.expandAll=function(){var h,k,g,j,f;j=this.nodes;f=[];for(k=0,g=j.length;k<g;k++){h=j[k];f.push(h.expand())}return f};e.prototype.findLastNode=function(f){if(f.children.length>0){return this.findLastNode(f.children[f.children.length-1])}else{return f}};e.prototype.loadRows=function(h){var g,j,f;if(h!=null){for(f=0;f<h.length;f++){j=c(h[f]);if(j.data(this.settings.nodeIdAttr)!=null){g=new b(j,this.tree,this.settings);this.nodes.push(g);this.tree[g.id]=g;if(g.parentId!=null&&this.tree[g.parentId]){this.tree[g.parentId].addChild(g)}else{this.roots.push(g)}}}}for(f=0;f<this.nodes.length;f++){g=this.nodes[f].updateBranchLeafClass()}return this};e.prototype.move=function(h,f){var g=h.parentNode();if(h!==f&&f.id!==h.parentId&&c.inArray(h,f.ancestors())===-1){h.setParent(f);this._moveRows(h,f);if(h.parentNode().children.length===1){h.parentNode().render()}}if(g){g.updateBranchLeafClass()}if(h.parentNode()){h.parentNode().updateBranchLeafClass()}h.updateBranchLeafClass();return this};e.prototype.removeNode=function(f){this.unloadBranch(f);f.row.remove();if(f.parentId!=null){f.parentNode().removeChild(f)}delete this.tree[f.id];this.nodes.splice(c.inArray(f,this.nodes),1);return this};e.prototype.render=function(){var g,j,f,h;h=this.roots;for(j=0,f=h.length;j<f;j++){g=h[j];g.show()}return this};e.prototype.sortBranch=function(g,f){g.children.sort(f);this._sortChildRows(g);return this};e.prototype.unloadBranch=function(h){var g=h.children.slice(0),f;for(f=0;f<g.length;f++){this.removeNode(g[f])}h.children=[];h.updateBranchLeafClass();return this};e.prototype._moveRows=function(j,f){var h=j.children,g;j.row.insertAfter(f.row);j.render();for(g=h.length-1;g>=0;g--){this._moveRows(h[g],j)}};e.prototype._sortChildRows=function(f){return this._moveRows(f,f)};return e})();a={init:function(e,g){var f;f=c.extend({branchAttr:"ttBranch",clickableNodeNames:false,column:0,columnElType:"td",expandable:false,expanderTemplate:"<a href='#'> </a>",indent:19,indenterTemplate:"<span class='indenter'></span>",initialState:"collapsed",nodeIdAttr:"ttId",parentIdAttr:"ttParentId",stringExpand:"Expand",stringCollapse:"Collapse",onInitialized:null,onNodeCollapse:null,onNodeExpand:null,onNodeInitialized:null},e);return this.each(function(){var j=c(this),h;if(g||j.data("treetable")===undefined){h=new d(this,f);h.loadRows(this.rows).render();j.addClass("treetable").data("treetable",h);if(f.onInitialized!=null){f.onInitialized.apply(h)}}return j})},destroy:function(){return this.each(function(){return c(this).removeData("treetable").removeClass("treetable")})},collapseAll:function(){this.data("treetable").collapseAll();return this},collapseNode:function(f){var e=this.data("treetable").tree[f];if(e){e.collapse()}else{throw new Error("Unknown node '"+f+"'")}return this},expandAll:function(){this.data("treetable").expandAll();return this},expandNode:function(f){var e=this.data("treetable").tree[f];if(e){if(!e.initialized){e._initialize()}e.expand()}else{throw new Error("Unknown node '"+f+"'")}return this},loadBranch:function(h,j){var f=this.data("treetable").settings,e=this.data("treetable").tree;j=c(j);if(h==null){this.append(j)}else{var g=this.data("treetable").findLastNode(h);j.insertAfter(g.row)}this.data("treetable").loadRows(j);j.filter("tr").each(function(){e[c(this).data(f.nodeIdAttr)].show()});if(h!=null){h.render().expand()}return this},move:function(h,g){var e,f;f=this.data("treetable").tree[h];e=this.data("treetable").tree[g];this.data("treetable").move(f,e);return this},node:function(e){return this.data("treetable").tree[e]},removeNode:function(f){var e=this.data("treetable").tree[f];if(e){this.data("treetable").removeNode(e)}else{throw new Error("Unknown node '"+f+"'")}return this},reveal:function(f){var e=this.data("treetable").tree[f];if(e){e.reveal()}else{throw new Error("Unknown node '"+f+"'")}return this},sortBranch:function(j,g){var h=this.data("treetable").settings,f,e;g=g||h.column;e=g;if(c.isNumeric(g)){e=function(m,k){var o,n,l;o=function(p){var q=p.row.find("td:eq("+g+")").text();return c.trim(q).toUpperCase()};n=o(m);l=o(k);if(n<l){return -1}if(n>l){return 1}return 0}}this.data("treetable").sortBranch(j,e);return this},unloadBranch:function(e){this.data("treetable").unloadBranch(e);return this}};c.fn.treetable=function(e){if(a[e]){return a[e].apply(this,Array.prototype.slice.call(arguments,1))}else{if(typeof e==="object"||!e){return a.init.apply(this,arguments)}else{return c.error("Method "+e+" does not exist on jQuery.treetable")}}};this.TreeTable||(this.TreeTable={});this.TreeTable.Node=b;this.TreeTable.Tree=d})(jQuery); >/*! > * Bootstrap v3.3.7 (http://getbootstrap.com) > * Copyright 2011-2016 Twitter, Inc. > * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) > */ >; >/*! > * Generated using the Bootstrap Customizer (https://getbootstrap.com/customize/?id=8160adef040364fa8f688f6065765caf) > * Config saved to config.json and https://gist.github.com/8160adef040364fa8f688f6065765caf > */ >;if("undefined"==typeof jQuery){throw new Error("Bootstrap's JavaScript requires jQuery")}+function(a){var b=a.fn.jquery.split(" ")[0].split(".");if(b[0]<2&&b[1]<9||1==b[0]&&9==b[1]&&b[2]<1||b[0]>3){throw new Error("Bootstrap's JavaScript requires jQuery version 1.9.1 or higher, but lower than version 4")}}(jQuery),+function(b){function c(g){return this.each(function(){var e=b(this),h=e.data("bs.alert");h||e.data("bs.alert",h=new f(this)),"string"==typeof g&&h[g].call(e)})}var a='[data-dismiss="alert"]',f=function(g){b(g).on("click",a,this.close)};f.VERSION="3.3.7",f.TRANSITION_DURATION=150,f.prototype.close=function(k){function h(){g.detach().trigger("closed.bs.alert").remove()}var l=b(this),j=l.attr("data-target");j||(j=l.attr("href"),j=j&&j.replace(/.*(?=#[^\s]*$)/,""));var g=b("#"===j?[]:j);k&&k.preventDefault(),g.length||(g=l.closest(".alert")),g.trigger(k=b.Event("close.bs.alert")),k.isDefaultPrevented()||(g.removeClass("in"),b.support.transition&&g.hasClass("fade")?g.one("bsTransitionEnd",h).emulateTransitionEnd(f.TRANSITION_DURATION):h())};var d=b.fn.alert;b.fn.alert=c,b.fn.alert.Constructor=f,b.fn.alert.noConflict=function(){return b.fn.alert=d,this},b(document).on("click.bs.alert.data-api",a,f.prototype.close)}(jQuery),+function(d){function h(l){var a=l.attr("data-target");a||(a=l.attr("href"),a=a&&/#[A-Za-z]/.test(a)&&a.replace(/.*(?=#[^\s]*$)/,""));var m=a&&d(a);return m&&m.length?m:l.parent()}function c(a){a&&3===a.which||(d(j).remove(),d(f).each(function(){var m=d(this),l=h(m),e={relatedTarget:this};l.hasClass("open")&&(a&&"click"==a.type&&/input|textarea/i.test(a.target.tagName)&&d.contains(l[0],a.target)||(l.trigger(a=d.Event("hide.bs.dropdown",e)),a.isDefaultPrevented()||(m.attr("aria-expanded","false"),l.removeClass("open").trigger(d.Event("hidden.bs.dropdown",e)))))}))}function k(a){return this.each(function(){var e=d(this),l=e.data("bs.dropdown");l||e.data("bs.dropdown",l=new b(this)),"string"==typeof a&&l[a].call(e)})}var j=".dropdown-backdrop",f='[data-toggle="dropdown"]',b=function(a){d(a).on("click.bs.dropdown",this.toggle)};b.VERSION="3.3.7",b.prototype.toggle=function(q){var p=d(this);if(!p.is(".disabled, :disabled")){var l=h(p),e=l.hasClass("open");if(c(),!e){"ontouchstart" in document.documentElement&&!l.closest(".navbar-nav").length&&d(document.createElement("div")).addClass("dropdown-backdrop").insertAfter(d(this)).on("click",c);var m={relatedTarget:this};if(l.trigger(q=d.Event("show.bs.dropdown",m)),q.isDefaultPrevented()){return}p.trigger("focus").attr("aria-expanded","true"),l.toggleClass("open").trigger(d.Event("shown.bs.dropdown",m))}return !1}},b.prototype.keydown=function(p){if(/(38|40|27|32)/.test(p.which)&&!/input|textarea/i.test(p.target.tagName)){var u=d(this);if(p.preventDefault(),p.stopPropagation(),!u.is(".disabled, :disabled")){var t=h(u),m=t.hasClass("open");if(!m&&27!=p.which||m&&27==p.which){return 27==p.which&&t.find(f).trigger("focus"),u.trigger("click")}var q=" li:not(.disabled):visible a",s=t.find(".dropdown-menu"+q);if(s.length){var e=s.index(p.target);38==p.which&&e>0&&e--,40==p.which&&e<s.length-1&&e++,~e||(e=0),s.eq(e).trigger("focus")}}}};var g=d.fn.dropdown;d.fn.dropdown=k,d.fn.dropdown.Constructor=b,d.fn.dropdown.noConflict=function(){return d.fn.dropdown=g,this},d(document).on("click.bs.dropdown.data-api",c).on("click.bs.dropdown.data-api",".dropdown form",function(a){a.stopPropagation()}).on("click.bs.dropdown.data-api",f,b.prototype.toggle).on("keydown.bs.dropdown.data-api",f,b.prototype.keydown).on("keydown.bs.dropdown.data-api",".dropdown-menu",b.prototype.keydown)}(jQuery),+function(b){function c(f,g){return this.each(function(){var j=b(this),h=j.data("bs.modal"),e=b.extend({},a.DEFAULTS,j.data(),"object"==typeof f&&f);h||j.data("bs.modal",h=new a(this,e)),"string"==typeof f?h[f](g):e.show&&h.show(g)})}var a=function(g,f){this.options=f,this.$body=b(document.body),this.$element=b(g),this.$dialog=this.$element.find(".modal-dialog"),this.$backdrop=null,this.isShown=null,this.originalBodyPad=null,this.scrollbarWidth=0,this.ignoreBackdropClick=!1,this.options.remote&&this.$element.find(".modal-content").load(this.options.remote,b.proxy(function(){this.$element.trigger("loaded.bs.modal")},this))};a.VERSION="3.3.7",a.TRANSITION_DURATION=300,a.BACKDROP_TRANSITION_DURATION=150,a.DEFAULTS={backdrop:!0,keyboard:!0,show:!0},a.prototype.toggle=function(e){return this.isShown?this.hide():this.show(e)},a.prototype.show=function(f){var h=this,g=b.Event("show.bs.modal",{relatedTarget:f});this.$element.trigger(g),this.isShown||g.isDefaultPrevented()||(this.isShown=!0,this.checkScrollbar(),this.setScrollbar(),this.$body.addClass("modal-open"),this.escape(),this.resize(),this.$element.on("click.dismiss.bs.modal",'[data-dismiss="modal"]',b.proxy(this.hide,this)),this.$dialog.on("mousedown.dismiss.bs.modal",function(){h.$element.one("mouseup.dismiss.bs.modal",function(j){b(j.target).is(h.$element)&&(h.ignoreBackdropClick=!0)})}),this.backdrop(function(){var j=b.support.transition&&h.$element.hasClass("fade");h.$element.parent().length||h.$element.appendTo(h.$body),h.$element.show().scrollTop(0),h.adjustDialog(),j&&h.$element[0].offsetWidth,h.$element.addClass("in"),h.enforceFocus();var e=b.Event("shown.bs.modal",{relatedTarget:f});j?h.$dialog.one("bsTransitionEnd",function(){h.$element.trigger("focus").trigger(e)}).emulateTransitionEnd(a.TRANSITION_DURATION):h.$element.trigger("focus").trigger(e)}))},a.prototype.hide=function(f){f&&f.preventDefault(),f=b.Event("hide.bs.modal"),this.$element.trigger(f),this.isShown&&!f.isDefaultPrevented()&&(this.isShown=!1,this.escape(),this.resize(),b(document).off("focusin.bs.modal"),this.$element.removeClass("in").off("click.dismiss.bs.modal").off("mouseup.dismiss.bs.modal"),this.$dialog.off("mousedown.dismiss.bs.modal"),b.support.transition&&this.$element.hasClass("fade")?this.$element.one("bsTransitionEnd",b.proxy(this.hideModal,this)).emulateTransitionEnd(a.TRANSITION_DURATION):this.hideModal())},a.prototype.enforceFocus=function(){b(document).off("focusin.bs.modal").on("focusin.bs.modal",b.proxy(function(e){document===e.target||this.$element[0]===e.target||this.$element.has(e.target).length||this.$element.trigger("focus")},this))},a.prototype.escape=function(){this.isShown&&this.options.keyboard?this.$element.on("keydown.dismiss.bs.modal",b.proxy(function(e){27==e.which&&this.hide()},this)):this.isShown||this.$element.off("keydown.dismiss.bs.modal")},a.prototype.resize=function(){this.isShown?b(window).on("resize.bs.modal",b.proxy(this.handleUpdate,this)):b(window).off("resize.bs.modal")},a.prototype.hideModal=function(){var e=this;this.$element.hide(),this.backdrop(function(){e.$body.removeClass("modal-open"),e.resetAdjustments(),e.resetScrollbar(),e.$element.trigger("hidden.bs.modal")})},a.prototype.removeBackdrop=function(){this.$backdrop&&this.$backdrop.remove(),this.$backdrop=null},a.prototype.backdrop=function(h){var k=this,j=this.$element.hasClass("fade")?"fade":"";if(this.isShown&&this.options.backdrop){var g=b.support.transition&&j;if(this.$backdrop=b(document.createElement("div")).addClass("modal-backdrop "+j).appendTo(this.$body),this.$element.on("click.dismiss.bs.modal",b.proxy(function(e){return this.ignoreBackdropClick?void (this.ignoreBackdropClick=!1):void (e.target===e.currentTarget&&("static"==this.options.backdrop?this.$element[0].focus():this.hide()))},this)),g&&this.$backdrop[0].offsetWidth,this.$backdrop.addClass("in"),!h){return}g?this.$backdrop.one("bsTransitionEnd",h).emulateTransitionEnd(a.BACKDROP_TRANSITION_DURATION):h()}else{if(!this.isShown&&this.$backdrop){this.$backdrop.removeClass("in");var f=function(){k.removeBackdrop(),h&&h()};b.support.transition&&this.$element.hasClass("fade")?this.$backdrop.one("bsTransitionEnd",f).emulateTransitionEnd(a.BACKDROP_TRANSITION_DURATION):f()}else{h&&h()}}},a.prototype.handleUpdate=function(){this.adjustDialog()},a.prototype.adjustDialog=function(){var e=this.$element[0].scrollHeight>document.documentElement.clientHeight;this.$element.css({paddingLeft:!this.bodyIsOverflowing&&e?this.scrollbarWidth:"",paddingRight:this.bodyIsOverflowing&&!e?this.scrollbarWidth:""})},a.prototype.resetAdjustments=function(){this.$element.css({paddingLeft:"",paddingRight:""})},a.prototype.checkScrollbar=function(){var f=window.innerWidth;if(!f){var g=document.documentElement.getBoundingClientRect();f=g.right-Math.abs(g.left)}this.bodyIsOverflowing=document.body.clientWidth<f,this.scrollbarWidth=this.measureScrollbar()},a.prototype.setScrollbar=function(){var e=parseInt(this.$body.css("padding-right")||0,10);this.originalBodyPad=document.body.style.paddingRight||"",this.bodyIsOverflowing&&this.$body.css("padding-right",e+this.scrollbarWidth)},a.prototype.resetScrollbar=function(){this.$body.css("padding-right",this.originalBodyPad)},a.prototype.measureScrollbar=function(){var f=document.createElement("div");f.className="modal-scrollbar-measure",this.$body.append(f);var g=f.offsetWidth-f.clientWidth;return this.$body[0].removeChild(f),g};var d=b.fn.modal;b.fn.modal=c,b.fn.modal.Constructor=a,b.fn.modal.noConflict=function(){return b.fn.modal=d,this},b(document).on("click.bs.modal.data-api",'[data-toggle="modal"]',function(f){var j=b(this),h=j.attr("href"),g=b(j.attr("data-target")||h&&h.replace(/.*(?=#[^\s]+$)/,"")),e=g.data("bs.modal")?"toggle":b.extend({remote:!/#/.test(h)&&h},g.data(),j.data());j.is("a")&&f.preventDefault(),g.one("show.bs.modal",function(k){k.isDefaultPrevented()||g.one("hidden.bs.modal",function(){j.is(":visible")&&j.trigger("focus")})}),c.call(g,e,this)})}(jQuery),+function(b){function c(h){var g,j=h.attr("data-target")||(g=h.attr("href"))&&g.replace(/.*(?=#[^\s]+$)/,"");return b(j)}function a(g){return this.each(function(){var e=b(this),j=e.data("bs.collapse"),h=b.extend({},f.DEFAULTS,e.data(),"object"==typeof g&&g);!j&&h.toggle&&/show|hide/.test(g)&&(h.toggle=!1),j||e.data("bs.collapse",j=new f(this,h)),"string"==typeof g&&j[g]()})}var f=function(h,g){this.$element=b(h),this.options=b.extend({},f.DEFAULTS,g),this.$trigger=b('[data-toggle="collapse"][href="#'+h.id+'"],[data-toggle="collapse"][data-target="#'+h.id+'"]'),this.transitioning=null,this.options.parent?this.$parent=this.getParent():this.addAriaAndCollapsedClass(this.$element,this.$trigger),this.options.toggle&&this.toggle()};f.VERSION="3.3.7",f.TRANSITION_DURATION=350,f.DEFAULTS={toggle:!0},f.prototype.dimension=function(){var e=this.$element.hasClass("width");return e?"width":"height"},f.prototype.show=function(){if(!this.transitioning&&!this.$element.hasClass("in")){var k,m=this.$parent&&this.$parent.children(".panel").children(".in, .collapsing");if(!(m&&m.length&&(k=m.data("bs.collapse"),k&&k.transitioning))){var h=b.Event("show.bs.collapse");if(this.$element.trigger(h),!h.isDefaultPrevented()){m&&m.length&&(a.call(m,"hide"),k||m.data("bs.collapse",null));var g=this.dimension();this.$element.removeClass("collapse").addClass("collapsing")[g](0).attr("aria-expanded",!0),this.$trigger.removeClass("collapsed").attr("aria-expanded",!0),this.transitioning=1;var j=function(){this.$element.removeClass("collapsing").addClass("collapse in")[g](""),this.transitioning=0,this.$element.trigger("shown.bs.collapse")};if(!b.support.transition){return j.call(this)}var l=b.camelCase(["scroll",g].join("-"));this.$element.one("bsTransitionEnd",b.proxy(j,this)).emulateTransitionEnd(f.TRANSITION_DURATION)[g](this.$element[0][l])}}}},f.prototype.hide=function(){if(!this.transitioning&&this.$element.hasClass("in")){var h=b.Event("hide.bs.collapse");if(this.$element.trigger(h),!h.isDefaultPrevented()){var g=this.dimension();this.$element[g](this.$element[g]())[0].offsetHeight,this.$element.addClass("collapsing").removeClass("collapse in").attr("aria-expanded",!1),this.$trigger.addClass("collapsed").attr("aria-expanded",!1),this.transitioning=1;var j=function(){this.transitioning=0,this.$element.removeClass("collapsing").addClass("collapse").trigger("hidden.bs.collapse")};return b.support.transition?void this.$element[g](0).one("bsTransitionEnd",b.proxy(j,this)).emulateTransitionEnd(f.TRANSITION_DURATION):j.call(this)}}},f.prototype.toggle=function(){this[this.$element.hasClass("in")?"hide":"show"]()},f.prototype.getParent=function(){return b(this.options.parent).find('[data-toggle="collapse"][data-parent="'+this.options.parent+'"]').each(b.proxy(function(e,h){var g=b(h);this.addAriaAndCollapsedClass(c(g),g)},this)).end()},f.prototype.addAriaAndCollapsedClass=function(h,j){var g=h.hasClass("in");h.attr("aria-expanded",g),j.toggleClass("collapsed",!g).attr("aria-expanded",g)};var d=b.fn.collapse;b.fn.collapse=a,b.fn.collapse.Constructor=f,b.fn.collapse.noConflict=function(){return b.fn.collapse=d,this},b(document).on("click.bs.collapse.data-api",'[data-toggle="collapse"]',function(k){var j=b(this);j.attr("data-target")||k.preventDefault();var g=c(j),e=g.data("bs.collapse"),h=e?"toggle":j.data();a.call(g,h)})}(jQuery),+function(a){function b(){var d=document.createElement("bootstrap"),f={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for(var c in f){if(void 0!==d.style[c]){return{end:f[c]}}}return !1}a.fn.emulateTransitionEnd=function(d){var c=!1,g=this;a(this).one("bsTransitionEnd",function(){c=!0});var f=function(){c||a(g).trigger(a.support.transition.end)};return setTimeout(f,d),this},a(function(){a.support.transition=b(),a.support.transition&&(a.event.special.bsTransitionEnd={bindType:a.support.transition.end,delegateType:a.support.transition.end,handle:function(c){return a(c.target).is(this)?c.handleObj.handler.apply(this,arguments):void 0}})})}(jQuery);function openRuleDetailsDialog(d){var a=$('<button type="button" class="close btn btn-sm btn-default" data-dismiss="modal" aria-hidden="false" title="Close">❌</button>');var b=$('<div id="detail-modal" class="modal fade" tabindex="-1" role="dialog" aria-hidden="false"><div id="detail-modal-body" class="modal-body"></div></div>');$("body").prepend(b);var c=$("#rule-detail-"+d).clone();c.attr("id","");c.children(".panel-heading").append(a);a.css({"float":"right"});a.css({"margin-top":"-=23px"});$("#detail-modal-body").append(c);$("#detail-modal").on("hidden.bs.modal",function(f){$("#detail-modal").remove()});$("#detail-modal").modal();return false}function toggleRuleDisplay(b){var a=b.value;if(b.checked){$(".rule-overview-leaf-"+a).removeClass("rule-result-filtered");$(".rule-detail-"+a).removeClass("rule-result-filtered")}else{$(".rule-overview-leaf-"+a).addClass("rule-result-filtered");$(".rule-detail-"+a).addClass("rule-result-filtered")}stripeTreeTable()}function toggleResultDetails(b){var a=$("#result-details");if(a.is(":visible")){a.hide();$(b).html("Show all result details")}else{a.show();$(b).html("Hide all result details")}return false}function ruleSearchMatches(e,c){if(c.length==0){return true}var b=true;var d=e.children(".keywords").text().toLowerCase();var a;for(a=0;a<c.length;++a){if(d.indexOf(c[a].toLowerCase())<0){b=false;break}}return b}function ruleSearch(){var c=$("#search-input").val();var a=c.split(/[\s,\.;]+/);var b=0;$(".rule-detail").each(function(){var d=$(this).attr("id").substring(12);var e=$("#rule-overview-leaf-"+d);var f=$(this);if(ruleSearchMatches(f,a)){e.removeClass("search-no-match");f.removeClass("search-no-match");++b}else{e.addClass("search-no-match");f.addClass("search-no-match")}});if(!c){$("#search-matches").html("")}else{if(b>0){$("#search-matches").html(b.toString()+" rules match.")}else{$("#search-matches").html("No rules match your search criteria!")}}}var is_original=true;var original_treetable=null;$(document).ready(function(){$("#result-details").hide();$(".js-only").show();$(".form-group select").val("default");$(".toggle-rule-display").each(function(){toggleRuleDisplay(this)});original_treetable=$(".treetable").clone();$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});is_original=true;stripeTreeTable()});function resetTreetable(){if(!is_original){$(".treetable").remove();$("#rule-overview").append(original_treetable.clone());$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});$(".toggle-rule-display").each(function(){toggleRuleDisplay(this)});is_original=true}}function newGroupLine(a,c){var b=24;if(a.length>b){a=a.substring(0,b-1)+"â¦"}return'<tr class="rule-overview-inner-node" data-tt-id="'+c+'"><td colspan="3"><small>'+a+"</small> = <strong>"+c+"</strong></td></tr>"}var KeysEnum={DEFAULT:"default",SEVERITY:"severity",RESULT:"result",NIST:"NIST SP 800-53 ID",DISA_CCI:"DISA CCI",DISA_SRG:"DISA SRG",DISA_STIG_ID:"DISA STIG ID",PCI_DSS:"PCI DSS Requirement",CIS:"CIS Recommendation"};function getTargetGroupsList(f,d){switch(d){case KeysEnum.SEVERITY:var b=f.children(".rule-severity").text();return[b];case KeysEnum.RESULT:var a=f.children(".rule-result").text();return[a];default:try{var c=JSON.parse(f.attr("data-references"))}catch(e){return["unknown"]}if(!c.hasOwnProperty(d)){return["unknown"]}return c[d]}}function sortGroups(a,b){switch(b){case KeysEnum.SEVERITY:return["high","medium","low"];case KeysEnum.RESULT:return a.sort();default:return a.sort(function(e,d){var f=e.split(/[.()-]/);var g=d.split(/[.()-]/);var c=0;var j=Math.min(f.length,g.length);var h=/^[1-9][0-9]*$/;for(i=0;i<j&&c==0;i++){if(f[i].match(h)==null||f[i].match(h)==null){c=f[i].localeCompare(g[i])}else{c=parseInt(f[i])-parseInt(g[i])}}if(c==0){c=f.length-g.length}return c})}}function groupRulesBy(c){resetTreetable();if(c==KeysEnum.DEFAULT){return}var b={};$(".rule-overview-leaf").each(function(){$(this).children("td:first").css("padding-left","0px");var j=$(this).attr("data-tt-id");var g=getTargetGroupsList($(this),c);for(i=0;i<g.length;i++){var e=g[i];if(!b.hasOwnProperty(e)){b[e]=[newGroupLine(c,e)]}var h=$(this).clone();h.attr("data-tt-id",j+"copy"+i);h.attr("data-tt-parent-id",e);var f=h.wrap("<div>").parent().html();b[e].push(f)}});$(".treetable").remove();var a=sortGroups(Object.keys(b),c);var d="";for(i=0;i<a.length;i++){d+=b[a[i]].join("\n")}new_table='<table class="treetable table table-bordered"><thead><tr><th>Group</th> <th style="width: 120px; text-align: center">Severity</th><th style="width: 120px; text-align: center">Result</th></tr></thead><tbody>'+d+"</tbody></table>";$("#rule-overview").append(new_table);is_original=false;$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});stripeTreeTable()}function stripeTreeTable(){var a=$(".rule-overview-leaf:not(.rule-result-filtered)");var b=false;$(a).each(function(){$(this).css("background-color",b?"#F9F9F9":"inherit");b=!b})};</script></head><body><nav class="navbar navbar-default"><div class="navbar-header" style="float: none"><a class="navbar-brand" href="#"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="52" height="52" id="svg2"><g transform="matrix(0.75266991,0,0,0.75266991,-17.752968,-104.57468)" id="g32"><path d="m 24.7,173.5 c 0,-9 3.5,-17.5 9.9,-23.9 6.8,-6.8 15.7,-10.4 25,-10 8.6,0.3 16.9,3.9 22.9,9.8 6.4,6.4 9.9,14.9 10,23.8 0.1,9.1 -3.5,17.8 -10,24.3 -13.2,13.2 -34.7,13.1 -48,-0.1 -1.5,-1.5 -1.9,-4.2 0.2,-6.2 l 9,-9 c -2,-3.6 -4.9,-13.1 2.6,-20.7 7.6,-7.6 18.6,-6 24.4,-0.2 3.3,3.3 5.1,7.6 5.1,12.1 0.1,4.6 -1.8,9.1 -5.3,12.5 -4.2,4.2 -10.2,5.8 -16.1,4.4 -1.5,-0.4 -2.4,-1.9 -2.1,-3.4 0.4,-1.5 1.9,-2.4 3.4,-2.1 4.1,1 8,-0.1 10.9,-2.9 2.3,-2.3 3.6,-5.3 3.6,-8.4 0,0 0,-0.1 0,-0.1 0,-3 -1.3,-5.9 -3.5,-8.2 -3.9,-3.9 -11.3,-4.9 -16.5,0.2 -6.3,6.3 -1.6,14.1 -1.6,14.2 1.5,2.4 0.7,5 -0.9,6.3 l -8.4,8.4 c 9.9,8.9 27.2,11.2 39.1,-0.8 5.4,-5.4 8.4,-12.5 8.4,-20 0,-0.1 0,-0.2 0,-0.3 -0.1,-7.5 -3,-14.6 -8.4,-19.9 -5,-5 -11.9,-8 -19.1,-8.2 -7.8,-0.3 -15.2,2.7 -20.9,8.4 -8.7,8.7 -8.7,19 -7.9,24.3 0.3,2.4 1.1,4.9 2.2,7.3 0.6,1.4 0,3.1 -1.4,3.7 -1.4,0.6 -3.1,0 -3.7,-1.4 -1.3,-2.9 -2.2,-5.8 -2.6,-8.7 -0.3,-1.7 -0.4,-3.5 -0.4,-5.2 z" id="path34" style="fill:#12497f"></path></g></svg></a><div><h1>OpenSCAP Evaluation Report</h1></div></div></nav><div class="container"><div id="content"><div id="introduction"><div class="row"><h2>Guide to the Secure Configuration of Red Hat Enterprise Linux 8</h2><blockquote>with profile <mark>ANSSI-BP-028 (high)</mark><div class="col-md-12 well well-lg horizontal-scroll"><div class="description profile-description"><small>This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. > >ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. >ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. > >A copy of the ANSSI-BP-028 can be found at the ANSSI website: >https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/</small></div></div></blockquote><div class="col-md-12 well well-lg horizontal-scroll"><div class="front-matter">The SCAP Security Guide Project<br> > > <a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</a> ></div><div class="description">This guide presents a catalog of security-relevant >configuration settings for Red Hat Enterprise Linux 8. It is a rendering of >content structured in the eXtensible Configuration Checklist Description Format (XCCDF) >in order to support security automation. The SCAP content is >is available in the <code>scap-security-guide</code> package which is developed at > > <a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</a>. ><br><br> >Providing system administrators with such guidance informs them how to securely >configure systems under their control in a variety of network roles. Policy >makers and baseline creators can use this catalog of settings, with its >associated references to higher-level security control catalogs, in order to >assist them in security baseline creation. This guide is a <em>catalog, not a >checklist</em>, and satisfaction of every item is not likely to be possible or >sensible in many operational scenarios. However, the XCCDF format enables >granular selection and adjustment of settings, and their association with OVAL >and OCIL content provides an automated checking capability. Transformations of >this document, and its associated automated checking content, are capable of >providing baselines that meet a diverse set of policy objectives. Some example >XCCDF <em>Profiles</em>, which are selections of items that form checklists and >can be used as baselines, are available with this guide. They can be >processed, in an automated fashion, with tools that support the Security >Content Automation Protocol (SCAP). The DISA STIG, which provides required >settings for US Department of Defense systems, is one example of a baseline >created from this guidance. ></div><div class="top-spacer-10"><div class="alert alert-info">Do not attempt to implement any of the settings in >this guide without first testing them in a non-operational environment. The >creators of this guidance assume no responsibility whatsoever for its use by >other parties, and makes no guarantees, expressed or implied, about its >quality, reliability, or any other characteristic. ></div></div></div></div></div><div id="characteristics"><h2>Evaluation Characteristics</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Evaluation target</th><td>localhost</td></tr><tr><th>Benchmark URL</th><td>#scap_org.open-scap_comp_ssg-rhel8-xccdf-1.2.xml</td></tr><tr><th>Benchmark ID</th><td>xccdf_org.ssgproject.content_benchmark_RHEL-8</td></tr><tr><th>Benchmark version</th><td>0.1.56</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_high</td></tr><tr><th>Started at</th><td>2021-06-18T12:02:23+01:00</td></tr><tr><th>Finished at</th><td>2021-06-18T12:05:36+01:00</td></tr><tr><th>Performed by</th><td>test</td></tr><tr><th>Test system</th><td>cpe:/a:redhat:openscap:1.3.5</td></tr></table></div><div class="col-md-3 horizontal-scroll"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-success" title="CPE platform cpe:/o:redhat:enterprise_linux:8 was found applicable on the evaluated machine">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div><div class="col-md-4 horizontal-scroll"><h4>Addresses</h4><ul class="list-group"><li class="list-group-item"><span class="label label-primary">IPv4</span> >  127.0.0.1</li><li class="list-group-item"><span class="label label-primary">IPv4</span> >  192.168.122.198</li><li class="list-group-item"><span class="label label-info">IPv6</span> >  0:0:0:0:0:0:0:1</li><li class="list-group-item"><span class="label label-info">IPv6</span> >  fe80:0:0:0:5054:ff:fee6:ccee</li><li class="list-group-item"><span class="label label-default">MAC</span> >  00:00:00:00:00:00</li><li class="list-group-item"><span class="label label-default">MAC</span> >  52:54:00:E6:CC:EE</li></ul></div></div></div><div id="compliance-and-scoring"><h2>Compliance and Scoring</h2><div class="alert alert-danger"><strong>The target system did not satisfy the conditions of 9 rules!</strong> > Please review rule results and consider applying remediation. > </div><h3>Rule results</h3><div class="progress" title="Displays proportion of passed/fixed, failed/error, and other rules (in that order). There were $not_ignored_rules_count rules taken into account."><div class="progress-bar progress-bar-success" style="width: 93.9890710382514%">172 passed > </div><div class="progress-bar progress-bar-danger" style="width: 4.918032786885246%">9 failed > </div><div class="progress-bar progress-bar-warning" style="width: 1.092896174863389%">2 other > </div></div><h3>Severity of failed rules</h3><div class="progress" title="Displays proportion of high, medium, low, and other severity failed rules (in that order). There were 9 total failed rules."><div class="progress-bar progress-bar-success" style="width: 0%">0 other > </div><div class="progress-bar progress-bar-info" style="width: 0%">0 low > </div><div class="progress-bar progress-bar-warning" style="width: 88.8888888888889%">8 medium > </div><div class="progress-bar progress-bar-danger" style="width: 11.1111111111111%">1 high > </div></div><h3 title="As per the XCCDF specification">Score</h3><table class="table table-striped table-bordered"><thead><tr><th>Scoring system</th><th class="text-center">Score</th><th class="text-center">Maximum</th><th class="text-center" style="width: 40%">Percent</th></tr></thead><tbody><tr><td>urn:xccdf:scoring:default</td><td class="text-center">95.305061</td><td class="text-center">100.000000</td><td><div class="progress"><div class="progress-bar progress-bar-success" style="width: 95.305061%">95.31%</div><div class="progress-bar progress-bar-danger" style="width: 4.694939000000005%"></div></div></td></tr></tbody></table></div><div id="rule-overview"><h2>Rule Overview</h2><div class="form-group js-only hidden-print"><div class="row"><div title="Filter rules by their XCCDF result"><div class="col-sm-2 toggle-rule-display-success"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="pass">pass</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="fixed">fixed</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="informational">informational</label></div></div><div class="col-sm-2 toggle-rule-display-danger"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="fail">fail</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="error">error</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="unknown">unknown</label></div></div><div class="col-sm-2 toggle-rule-display-other"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="notchecked">notchecked</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="notapplicable">notapplicable</label></div></div></div><div class="col-sm-6"><div class="input-group"><input type="text" class="form-control" placeholder="Search through XCCDF rules" id="search-input" oninput="ruleSearch()"><div class="input-group-btn"><button class="btn btn-default" onclick="ruleSearch()">Search</button></div></div><p id="search-matches"></p> > Group rules by: > <select name="groupby" onchange="groupRulesBy(value)"><option value="default" selected>Default</option><option value="severity">Severity</option><option value="result">Result</option><option disabled>ââââââââââ</option><option value="NIST SP 800-171">NIST SP 800-171</option><option value="NIST SP 800-53">NIST SP 800-53</option><option value="ANSSI">ANSSI</option><option value="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf</option><option value="https://public.cyber.mil/stigs/cci/">https://public.cyber.mil/stigs/cci/</option><option value="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os</option><option value="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux</option><option value="https://public.cyber.mil/stigs/srg-stig-tools/">https://public.cyber.mil/stigs/srg-stig-tools/</option><option value="https://www.cisecurity.org/benchmark/red_hat_linux/">https://www.cisecurity.org/benchmark/red_hat_linux/</option><option value="https://www.cisecurity.org/controls/">https://www.cisecurity.org/controls/</option><option value="FBI CJIS">FBI CJIS</option><option value="HIPAA">HIPAA</option><option value="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731</option><option value="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785</option><option value="https://www.isaca.org/resources/cobit">https://www.isaca.org/resources/cobit</option><option value="ISO 27001-2013">ISO 27001-2013</option><option value="https://www.niap-ccevs.org/Profile/PP.cfm">https://www.niap-ccevs.org/Profile/PP.cfm</option><option value="PCI-DSS Requirement">PCI-DSS Requirement</option></select></div></div></div><table class="treetable table table-bordered"><thead><tr><th>Title</th><th style="width: 120px; text-align: center">Severity</th><th style="width: 120px; text-align: center">Result</th></tr></thead><tbody><tr data-tt-id="xccdf_org.ssgproject.content_benchmark_RHEL-8" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td colspan="3" style="padding-left: 0px"><strong>Guide to the Secure Configuration of Red Hat Enterprise Linux 8</strong> <span class="badge">9x fail</span> <span class="badge">2x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><td colspan="3" style="padding-left: 19px"><strong>System Settings</strong> <span class="badge">9x fail</span> <span class="badge">2x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Installing and Maintaining Software</strong> <span class="badge">3x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_integrity" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_integrity" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px">System and Software Integrity<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_integrity");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_software-integrity" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_software-integrity" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px">Software Integrity Checking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_software-integrity");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_aide" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_aide" data-tt-parent-id="xccdf_org.ssgproject.content_group_software-integrity"><td colspan="3" style="padding-left: 95px">Verify Integrity with AIDE<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_aide");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_aide_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_aide_installed" id="rule-overview-leaf-idm45662296184064" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"":["1034","1288","1341","1417"],"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R51)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-7","PR.DS-1","PR.DS-6","PR.DS-8","PR.IP-1","PR.IP-3"],"https://public.cyber.mil/stigs/cci/":["CCI-002699","CCI-001744"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000363-GPOS-00150"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010360"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230263r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.4.1"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","2","3","5","7","8","9"],"FBI CJIS":["5.10.1.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 4.1","SR 6.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI01.06","BAI02.01","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS04.07","DSS05.02","DSS05.03","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.4.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.14.2.7","A.15.2.1","A.8.2.3"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662296184064" onclick="return openRuleDetailsDialog('idm45662296184064')">Install AIDE</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="rule-overview-leaf-idm45662296180080" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R51)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-7","PR.DS-1","PR.DS-6","PR.DS-8","PR.IP-1","PR.IP-3"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","2","3","5","7","8","9"],"FBI CJIS":["5.10.1.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 4.1","SR 6.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI01.06","BAI02.01","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS04.07","DSS05.02","DSS05.03","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.4.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.14.2.7","A.15.2.1","A.8.2.3"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662296180080" onclick="return openRuleDetailsDialog('idm45662296180080')">Build and Test AIDE Database</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" id="rule-overview-leaf-idm45662296176112" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"NIST SP 800-53":["SI-7","SI-7(1)","CM-6(a)"],"ANSSI":["BP28(R51)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-7","PR.DS-1","PR.DS-6","PR.DS-8","PR.IP-1","PR.IP-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001744","CCI-002699","CCI-002702"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000363-GPOS-00150","SRG-OS-000446-GPOS-00200","SRG-OS-000447-GPOS-00201"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.4.2"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","2","3","5","7","8","9"],"FBI CJIS":["5.10.1.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 4.1","SR 6.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI01.06","BAI02.01","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS04.07","DSS05.02","DSS05.03","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.4.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.14.2.7","A.15.2.1","A.8.2.3"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662296176112" onclick="return openRuleDetailsDialog('idm45662296176112')">Configure Periodic Execution of AIDE</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_scan_notification" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_scan_notification" id="rule-overview-leaf-idm45662296172112" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"NIST SP 800-53":["CM-6(a)","CM-3(5)"],"ANSSI":["BP28(R51)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-7","PR.IP-1","PR.IP-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001744","CCI-002702"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000363-GPOS-00150","SRG-OS-000447-GPOS-00201"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010360"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230263r627750_rule"],"https://www.cisecurity.org/controls/":["1","11","12","13","15","16","2","3","5","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 6.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI01.06","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS05.02","DSS05.05","DSS05.07"],"ISO 27001-2013":["A.12.1.2","A.12.4.1","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.14.2.7","A.15.2.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662296172112" onclick="return openRuleDetailsDialog('idm45662296172112')">Configure Notification of Post-AIDE Scan Details</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes" id="rule-overview-leaf-idm45662296168128" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"NIST SP 800-53":["SI-7","SI-7(1)","CM-6(a)"],"ANSSI":["BP28(R51)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040300"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230551r627750_rule"],"https://www.cisecurity.org/controls/":["2","3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI03.05","BAI06.01","DSS06.02"],"ISO 27001-2013":["A.11.2.4","A.12.2.1","A.12.5.1","A.14.1.2","A.14.1.3","A.14.2.4"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662296168128" onclick="return openRuleDetailsDialog('idm45662296168128')">Configure AIDE to Verify Extended Attributes</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_verify_acls" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_verify_acls" id="rule-overview-leaf-idm45662296164128" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"NIST SP 800-53":["SI-7","SI-7(1)","CM-6(a)"],"ANSSI":["BP28(R51)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040310"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230552r627750_rule"],"https://www.cisecurity.org/controls/":["2","3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI03.05","BAI06.01","DSS06.02"],"ISO 27001-2013":["A.11.2.4","A.12.2.1","A.12.5.1","A.14.1.2","A.14.1.3","A.14.2.4"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662296164128" onclick="return openRuleDetailsDialog('idm45662296164128')">Configure AIDE to Verify Access Control Lists (ACLs)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_sudo" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_sudo" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>Sudo</strong> <span class="badge">3x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_sudo_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_sudo_installed" id="rule-overview-leaf-idm45662296088240" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"":["1382","1384","1386"],"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R19)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000324-GPOS-00125"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.3.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296088240" onclick="return openRuleDetailsDialog('idm45662296088240')">Install sudo Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot" id="rule-overview-leaf-idm45662296081536" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R58)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296081536" onclick="return openRuleDetailsDialog('idm45662296081536')">Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_noexec" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_noexec" id="rule-overview-leaf-idm45662296077568" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R58)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296077568" onclick="return openRuleDetailsDialog('idm45662296077568')">Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_passwd_timeout" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_passwd_timeout" id="rule-overview-leaf-idm45662296073600" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R58)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296073600" onclick="return openRuleDetailsDialog('idm45662296073600')">Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudoers_no_command_negation" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudoers_no_command_negation" id="rule-overview-leaf-idm45662296066096" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R61)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296066096" onclick="return openRuleDetailsDialog('idm45662296066096')">Don't define allowed commands in sudoers by means of exclusion</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="rule-overview-leaf-idm45662296062096" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R58)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296062096" onclick="return openRuleDetailsDialog('idm45662296062096')">Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_requiretty" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_requiretty" id="rule-overview-leaf-idm45662296055424" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R58)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296055424" onclick="return openRuleDetailsDialog('idm45662296055424')">Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="rule-overview-leaf-idm45662296051456" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R58)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296051456" onclick="return openRuleDetailsDialog('idm45662296051456')">Ensure sudo Runs In A Minimal Environment - sudo env_reset</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_umask" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_umask" id="rule-overview-leaf-idm45662296047488" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R58)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296047488" onclick="return openRuleDetailsDialog('idm45662296047488')">Ensure sudo umask is appropriate - sudo umask</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudoers_explicit_command_args" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45662296040000" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R63)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296040000" onclick="return openRuleDetailsDialog('idm45662296040000')">Explicit arguments in sudo specifications</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_dedicated_group" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45662296036000" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R57)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296036000" onclick="return openRuleDetailsDialog('idm45662296036000')">Ensure a dedicated group owns sudo</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="rule-overview-leaf-idm45662296031200" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"":["SRG-OS-000373-VMM-001470","SRG-OS-000373-VMM-001480","SRG-OS-000373-VMM-001490"],"NIST SP 800-53":["IA-11","CM-6(a)"],"ANSSI":["BP28(R5)","BP28(R59)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-002038"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157","SRG-OS-000373-GPOS-00158"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010381"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230272r627750_rule"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296031200" onclick="return openRuleDetailsDialog('idm45662296031200')">Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudoers_no_root_target" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45662296027200" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R60)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296027200" onclick="return openRuleDetailsDialog('idm45662296027200')">Don't target root user in the sudoers file</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" id="rule-overview-leaf-idm45662296023216" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"":["SRG-OS-000373-VMM-001470","SRG-OS-000373-VMM-001480","SRG-OS-000373-VMM-001490"],"NIST SP 800-53":["IA-11","CM-6(a)"],"ANSSI":["BP28(R5)","BP28(R59)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-002038"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157","SRG-OS-000373-GPOS-00158"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010380"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230271r627750_rule"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296023216" onclick="return openRuleDetailsDialog('idm45662296023216')">Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disk_partitioning" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px">Disk Partitioning<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disk_partitioning");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" id="rule-overview-leaf-idm45662295864656" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"":["SRG-OS-000341-VMM-001220"],"NIST SP 800-53":["CM-6(a)","AU-4","SC-5(2)"],"ANSSI":["BP28(R43)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-4","PR.PT-1","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001849"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000341-GPOS-00132","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010542"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230294r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.12"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","2","3","5","6","8"],"HIPAA":["164.312(a)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO11.04","APO13.01","BAI03.05","BAI04.04","DSS05.02","DSS05.04","DSS05.07","MEA02.01"],"ISO 27001-2013":["A.12.1.3","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.17.2.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295864656" onclick="return openRuleDetailsDialog('idm45662295864656')">Ensure /var/log/audit Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_boot" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_boot" id="rule-overview-leaf-idm45662295860656" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295860656" onclick="return openRuleDetailsDialog('idm45662295860656')">Ensure /boot Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_opt" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_opt" id="rule-overview-leaf-idm45662295856688" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295856688" onclick="return openRuleDetailsDialog('idm45662295856688')">Ensure /opt Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_tmp" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_tmp" id="rule-overview-leaf-idm45662295850032" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"NIST SP 800-53":["CM-6(a)","SC-5(2)"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010543"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230295r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.2"],"https://www.cisecurity.org/controls/":["12","15","8"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","DSS05.02"],"ISO 27001-2013":["A.13.1.1","A.13.2.1","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295850032" onclick="return openRuleDetailsDialog('idm45662295850032')">Ensure /tmp Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_srv" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_srv" id="rule-overview-leaf-idm45662295846064" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295846064" onclick="return openRuleDetailsDialog('idm45662295846064')">Ensure /srv Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_usr" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_usr" id="rule-overview-leaf-idm45662295842096" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295842096" onclick="return openRuleDetailsDialog('idm45662295842096')">Ensure /usr Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_var" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_var" id="rule-overview-leaf-idm45662295838128" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"":["SRG-OS-000341-VMM-001220"],"NIST SP 800-53":["CM-6(a)","SC-5(2)"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010540"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230292r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.6"],"https://www.cisecurity.org/controls/":["12","15","8"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","DSS05.02"],"ISO 27001-2013":["A.13.1.1","A.13.2.1","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295838128" onclick="return openRuleDetailsDialog('idm45662295838128')">Ensure /var Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_var_tmp" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_var_tmp" id="rule-overview-leaf-idm45662295834160" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"ANSSI":["BP28(R12)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295834160" onclick="return openRuleDetailsDialog('idm45662295834160')">Ensure /var/tmp Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_var_log" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_var_log" id="rule-overview-leaf-idm45662295830192" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"NIST SP 800-53":["CM-6(a)","AU-4","SC-5(2)"],"ANSSI":["BP28(R12)","BP28(R47)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-1","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010541"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230293r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.11"],"https://www.cisecurity.org/controls/":["1","12","14","15","16","3","5","6","8"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO11.04","APO13.01","BAI03.05","DSS05.02","DSS05.04","DSS05.07","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295830192" onclick="return openRuleDetailsDialog('idm45662295830192')">Ensure /var/log Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_home" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_home" id="rule-overview-leaf-idm45662295826224" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"NIST SP 800-53":["CM-6(a)","SC-5(2)"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001208"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010800"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230328r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.13"],"https://www.cisecurity.org/controls/":["12","15","8"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","DSS05.02"],"ISO 27001-2013":["A.13.1.1","A.13.2.1","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295826224" onclick="return openRuleDetailsDialog('idm45662295826224')">Ensure /home Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>Updating Software</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed" id="rule-overview-leaf-idm45662295822256" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"ANSSI":["BP28(R8)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000191-GPOS-00080"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295822256" onclick="return openRuleDetailsDialog('idm45662295822256')">Install dnf-automatic Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" id="rule-overview-leaf-idm45662295818256" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-5(3)","SI-7","SC-12","SC-12(3)","CM-6(a)"],"ANSSI":["BP28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8","PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.2.3"],"https://www.cisecurity.org/controls/":["11","2","3","9"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS06.02"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FPT_TUD_EXT.1","FPT_TUD_EXT.2"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295818256" onclick="return openRuleDetailsDialog('idm45662295818256')">Ensure Red Hat GPG Key Installed</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled" id="rule-overview-leaf-idm45662295814256" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"NIST SP 800-53":["SI-2(5)","CM-6(a)","SI-2(c)"],"ANSSI":["BP28(R8)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000191-GPOS-00080"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295814256" onclick="return openRuleDetailsDialog('idm45662295814256')">Enable dnf-automatic Timer</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_security_patches_up_to_date" id="rule-overview-leaf-idm45662295810256" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-53":["SI-2(5)","SI-2(c)","CM-6(a)"],"ANSSI":["BP28(R08)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["ID.RA-1","PR.IP-12"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010010"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230222r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.9"],"https://www.cisecurity.org/controls/":["18","20","4"],"FBI CJIS":["5.10.4.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3","4.2.3.12","4.2.3.7","4.2.3.9"],"https://www.isaca.org/resources/cobit":["APO12.01","APO12.02","APO12.03","APO12.04","BAI03.10","DSS05.01","DSS05.02"],"ISO 27001-2013":["A.12.6.1","A.14.2.3","A.16.1.3","A.18.2.2","A.18.2.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295810256" onclick="return openRuleDetailsDialog('idm45662295810256')">Ensure Software Patches Installed</a> > () > </td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only" id="rule-overview-leaf-idm45662295805600" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"NIST SP 800-53":["SI-2(5)","CM-6(a)","SI-2(c)"],"ANSSI":["BP28(R8)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000191-GPOS-00080"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295805600" onclick="return openRuleDetailsDialog('idm45662295805600')">Configure dnf-automatic to Install Only Security Updates</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" id="rule-overview-leaf-idm45662295801600" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-11(a)","CM-11(b)","CM-6(a)","CM-5(3)","SA-12","SA-12(10)"],"ANSSI":["BP28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010371"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230265r627750_rule"],"https://www.cisecurity.org/controls/":["11","3","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FPT_TUD_EXT.1","FPT_TUD_EXT.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295801600" onclick="return openRuleDetailsDialog('idm45662295801600')">Ensure gpgcheck Enabled for Local Packages</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="rule-overview-leaf-idm45662295794896" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["0940","1144","1467","1472","1483","1493","1494","1495"],"NIST SP 800-53":["SI-2(5)","CM-6(a)","SI-2(c)"],"ANSSI":["BP28(R8)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000191-GPOS-00080"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295794896" onclick="return openRuleDetailsDialog('idm45662295794896')">Configure dnf-automatic to Install Available Updates Automatically</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" id="rule-overview-leaf-idm45662295788192" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-5(3)","SI-7","SC-12","SC-12(3)","CM-6(a)","SA-12","SA-12(10)","CM-11(a)","CM-11(b)"],"ANSSI":["BP28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8","PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://www.cisecurity.org/controls/":["11","2","3","9"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS06.02"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FPT_TUD_EXT.1","FPT_TUD_EXT.2"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295788192" onclick="return openRuleDetailsDialog('idm45662295788192')">Ensure gpgcheck Enabled for All yum Package Repositories</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" id="rule-overview-leaf-idm45662295784192" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-5(3)","SI-7","SC-12","SC-12(3)","CM-6(a)","SA-12","SA-12(10)","CM-11(a)","CM-11(b)"],"ANSSI":["BP28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8","PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010370"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230264r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.2.4"],"https://www.cisecurity.org/controls/":["11","2","3","9"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS06.02"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FPT_TUD_EXT.1","FPT_TUD_EXT.2"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295784192" onclick="return openRuleDetailsDialog('idm45662295784192')">Ensure gpgcheck Enabled In Main yum Configuration</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_prefer_64bit_os" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_prefer_64bit_os" id="rule-overview-leaf-idm45662296196112" data-tt-parent-id="xccdf_org.ssgproject.content_group_software" data-references='{"ANSSI":["BP28(R10)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662296196112" onclick="return openRuleDetailsDialog('idm45662296196112')">Prefer to use a 64-bit Operating System when supported</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px">Account and Access Control<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_accounts");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-pam" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-pam" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px">Protect Accounts by Configuring PAM<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_accounts-pam");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px">Set Password Hashing Algorithm<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_set_password_hashing_algorithm");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" id="rule-overview-leaf-idm45662295741104" data-tt-parent-id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" data-references='{"":["0418","1055","1402","SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.13.11"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(c)","CM-6(a)"],"ANSSI":["BP28(R32)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000196"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000073-GPOS-00041"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010160"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230237r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.4.4"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"FBI CJIS":["5.6.2.2"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"PCI-DSS Requirement":["Req-8.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295741104" onclick="return openRuleDetailsDialog('idm45662295741104')">Set PAM's Password Hashing Algorithm</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_quality" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_quality" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px">Set Password Quality Requirements<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_password_quality");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_quality_pwquality" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality"><td colspan="3" style="padding-left: 95px">Set Password Quality Requirements with pam_pwquality<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_password_quality_pwquality");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" id="rule-overview-leaf-idm45662295726256" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000266-VMM-000940"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(a)","CM-6(a)","IA-5(4)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-001619"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000266-GPOS-00101"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020280"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230375r627750_rule"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662295726256" onclick="return openRuleDetailsDialog('idm45662295726256')">Ensure PAM Enforces Password Requirements - Minimum Special Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" id="rule-overview-leaf-idm45662295716016" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000070-VMM-000370"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(a)","CM-6(a)","IA-5(4)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000193"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000070-GPOS-00038"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020120"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230358r627750_rule"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662295716016" onclick="return openRuleDetailsDialog('idm45662295716016')">Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" id="rule-overview-leaf-idm45662295711184" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000071-VMM-000380"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(a)","CM-6(a)","IA-5(4)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000194"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000071-GPOS-00039"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020130"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230359r627750_rule"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662295711184" onclick="return openRuleDetailsDialog('idm45662295711184')">Ensure PAM Enforces Password Requirements - Minimum Digit Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" id="rule-overview-leaf-idm45662295706352" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000069-VMM-000360"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(a)","CM-6(a)","IA-5(4)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000192"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000069-GPOS-00037"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020110"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230357r627750_rule"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662295706352" onclick="return openRuleDetailsDialog('idm45662295706352')">Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" id="rule-overview-leaf-idm45662295701520" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000072-VMM-000390","SRG-OS-000078-VMM-000450"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(a)","CM-6(a)","IA-5(4)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000205"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000078-GPOS-00046"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020230"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230369r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.4.1"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"FBI CJIS":["5.6.2.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662295701520" onclick="return openRuleDetailsDialog('idm45662295701520')">Ensure PAM Enforces Password Requirements - Minimum Length</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px">Set Lockouts for Failed Password Attempts<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_locking_out_password_attempts");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" id="rule-overview-leaf-idm45662295693984" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000021-VMM-000050"],"NIST SP 800-53":["CM-6(a)","AC-7(a)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000044","CCI-002236","CCI-002237","CCI-002238"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020012"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230334r627750_rule"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295693984" onclick="return openRuleDetailsDialog('idm45662295693984')">Set Interval For Counting Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" id="rule-overview-leaf-idm45662295689088" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["SRG-OS-000077-VMM-000440"],"NIST SP 800-171":["3.5.8"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(e)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000200"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000077-GPOS-00045"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020220"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230368r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.4.3"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"FBI CJIS":["5.6.2.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"PCI-DSS Requirement":["Req-8.2.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295689088" onclick="return openRuleDetailsDialog('idm45662295689088')">Limit Password Reuse</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" id="rule-overview-leaf-idm45662295684240" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000329-VMM-001180"],"NIST SP 800-171":["3.1.8"],"NIST SP 800-53":["CM-6(a)","AC-7(b)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000044","CCI-002236","CCI-002237","CCI-002238"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020014"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230336r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.4.2"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"FBI CJIS":["5.5.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"],"PCI-DSS Requirement":["Req-8.1.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295684240" onclick="return openRuleDetailsDialog('idm45662295684240')">Set Lockout Time for Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" id="rule-overview-leaf-idm45662295679328" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000021-VMM-000050"],"NIST SP 800-171":["3.1.8"],"NIST SP 800-53":["CM-6(a)","AC-7(a)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000044","CCI-002236","CCI-002237","CCI-002238"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020010"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230332r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.4.2"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"FBI CJIS":["5.5.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"],"PCI-DSS Requirement":["Req-8.1.6"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295679328" onclick="return openRuleDetailsDialog('idm45662295679328')">Set Deny For Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" id="rule-overview-leaf-idm45662295674464" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561"],"NIST SP 800-53":["CM-6(a)","AC-7(b)","IA-5(c)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-002238","CCI-000044"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020022"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230344r646874_rule"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295674464" onclick="return openRuleDetailsDialog('idm45662295674464')">Configure the root Account for Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_enable_pam_namespace" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_enable_pam_namespace" id="rule-overview-leaf-idm45662295750512" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam" data-references='{"ANSSI":["BP28(R39)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295750512" onclick="return openRuleDetailsDialog('idm45662295750512')">Set Up a Private Namespace in PAM Configuration</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px">Protect Accounts by Restricting Password-Based Login<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_accounts-restrictions");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_expiration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_expiration" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px">Set Password Expiration Parameters<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_password_expiration");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" id="rule-overview-leaf-idm45662295619072" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561"],"NIST SP 800-171":["3.5.7"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(a)","CM-6(a)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000205"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000078-GPOS-00046"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020231"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230370r627750_rule"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"FBI CJIS":["5.6.2.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295619072" onclick="return openRuleDetailsDialog('idm45662295619072')">Set Password Minimum Length in login.defs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" id="rule-overview-leaf-idm45662295614208" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"":["0418","1055","1402"],"NIST SP 800-171":["3.5.6"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(d)","CM-6(a)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000199"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000076-GPOS-00044"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020200"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230366r646878_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.5.1.1"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"FBI CJIS":["5.6.2.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"PCI-DSS Requirement":["Req-8.2.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295614208" onclick="return openRuleDetailsDialog('idm45662295614208')">Set Password Maximum Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px">Restrict Root Logins<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_root_logins");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_direct_root_logins" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_no_direct_root_logins" id="rule-overview-leaf-idm45662295586288" data-tt-parent-id="xccdf_org.ssgproject.content_group_root_logins" data-references='{"NIST SP 800-171":["3.1.1","3.1.6"],"NIST SP 800-53":["IA-2","CM-6(a)"],"ANSSI":["BP28(R19)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.6"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295586288" onclick="return openRuleDetailsDialog('idm45662295586288')">Direct root Logins Not Allowed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_storage" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_storage" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px">Verify Proper Storage and Existence of Password >Hashes<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_password_storage");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth" id="rule-overview-leaf-idm45662295548528" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_storage" data-references='{"ANSSI":["BP28(R32)"],"https://public.cyber.mil/stigs/cci/":["CCI-000196"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000073-GPOS-00041"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010130"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230233r627750_rule"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295548528" onclick="return openRuleDetailsDialog('idm45662295548528')">Set number of Password Hashing Rounds - system-auth</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth" id="rule-overview-leaf-idm45662295540944" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_storage" data-references='{"ANSSI":["BP28(R32)"],"https://public.cyber.mil/stigs/cci/":["CCI-000196"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000073-GPOS-00041"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010130"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230233r627750_rule"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295540944" onclick="return openRuleDetailsDialog('idm45662295540944')">Set number of Password Hashing Rounds - password-auth</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px">Secure Session Configuration Files for Login Accounts<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_accounts-session");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_user_umask" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_user_umask" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session"><td colspan="3" style="padding-left: 76px">Ensure that Users Have Sensible Umask Values<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_user_umask");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc" id="rule-overview-leaf-idm45662295476320" data-tt-parent-id="xccdf_org.ssgproject.content_group_user_umask" data-references='{"NIST SP 800-53":["AC-6(1)","CM-6(a)"],"ANSSI":["BP28(R35)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-2"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00228","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020353"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230385r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.5.4"],"https://www.cisecurity.org/controls/":["18"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI03.01","BAI03.02","BAI03.03"],"ISO 27001-2013":["A.14.1.1","A.14.2.1","A.14.2.5","A.6.1.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295476320" onclick="return openRuleDetailsDialog('idm45662295476320')">Ensure the Default Bash Umask is Set Correctly</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" id="rule-overview-leaf-idm45662295468784" data-tt-parent-id="xccdf_org.ssgproject.content_group_user_umask" data-references='{"NIST SP 800-53":["AC-6(1)","CM-6(a)"],"ANSSI":["BP28(R35)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-2"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00228"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.5.4"],"https://www.cisecurity.org/controls/":["18"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI03.01","BAI03.02","BAI03.03"],"ISO 27001-2013":["A.14.1.1","A.14.2.1","A.14.2.5","A.6.1.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295468784" onclick="return openRuleDetailsDialog('idm45662295468784')">Ensure the Default Umask is Set Correctly in /etc/profile</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" id="rule-overview-leaf-idm45662295463952" data-tt-parent-id="xccdf_org.ssgproject.content_group_user_umask" data-references='{"NIST SP 800-53":["AC-6(1)","CM-6(a)"],"ANSSI":["BP28(R35)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.IP-2"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00228"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020351"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230383r627750_rule"],"https://www.cisecurity.org/controls/":["11","18","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI03.01","BAI03.02","BAI03.03","BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.1.1","A.14.2.1","A.14.2.2","A.14.2.3","A.14.2.4","A.14.2.5","A.6.1.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295463952" onclick="return openRuleDetailsDialog('idm45662295463952')">Ensure the Default Umask is Set Correctly in login.defs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp" id="rule-overview-leaf-idm45662295525840" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"ANSSI":["BP28(R39)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295525840" onclick="return openRuleDetailsDialog('idm45662295525840')">Configure Polyinstantiation of /tmp Directories</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp" id="rule-overview-leaf-idm45662295500832" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"ANSSI":["BP28(R39)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295500832" onclick="return openRuleDetailsDialog('idm45662295500832')">Configure Polyinstantiation of /var/tmp Directories</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_tmout" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_tmout" id="rule-overview-leaf-idm45662295496832" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"":["SRG-OS-000163-VMM-000700","SRG-OS-000279-VMM-001010"],"NIST SP 800-171":["3.1.11"],"NIST SP 800-53":["AC-12","SC-10","AC-2(5)","CM-6(a)"],"ANSSI":["BP28(R29)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000057","CCI-001133","CCI-002361"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000163-GPOS-00072","SRG-OS-000029-GPOS-00010"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.5.3"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295496832" onclick="return openRuleDetailsDialog('idm45662295496832')">Set Interactive Session Timeout</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditing" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px">System Accounting with auditd<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_auditing");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_auditd_configure_rules" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing"><td colspan="3" style="padding-left: 57px">Configure auditd Rules for Comprehensive Auditing<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_auditd_configure_rules");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_privileged_commands" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px">Record Information on the Use of Privileged Commands<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_audit_privileged_commands");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" id="rule-overview-leaf-idm45662295094256" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"":["SRG-OS-000471-VMM-001910"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"ANSSI":["BP28(R19)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000130","CCI-000135","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000471-GPOS-00215"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","2","3","5","6","7","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1","SR 6.2"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","BAI03.05","DSS01.03","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.14.2.7","A.15.2.1","A.15.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295094256" onclick="return openRuleDetailsDialog('idm45662295094256')">Ensure auditd Collects Information on the Use of Privileged Commands - sudo</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px">Network Configuration and Firewalls<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-kernel" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-kernel" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">Kernel Parameters Which Affect Networking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-kernel");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-kernel"><td colspan="3" style="padding-left: 76px">Network Related Kernel Runtime Parameters for Hosts and Routers<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network_host_and_router_parameters");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" id="rule-overview-leaf-idm45662294879648" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.3"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294879648" onclick="return openRuleDetailsDialog('idm45662294879648')">Configure Kernel Parameter for Accepting Secure Redirects By Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" id="rule-overview-leaf-idm45662294874736" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","PR.DS-4","PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001503","CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040280"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230544r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.2"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","2","3","7","8","9"],"FBI CJIS":["5.10.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS05.02","DSS05.05","DSS05.07","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294874736" onclick="return openRuleDetailsDialog('idm45662294874736')">Disable Accepting ICMP Redirects for All IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" id="rule-overview-leaf-idm45662294867760" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040250"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230539r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.1"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"FBI CJIS":["5.10.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294867760" onclick="return openRuleDetailsDialog('idm45662294867760')">Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" id="rule-overview-leaf-idm45662294862832" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5(1)","SC-5(2)","SC-5(3)(a)","CM-6(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001095"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227","SRG-OS-000420-GPOS-00186","SRG-OS-000142-GPOS-00071"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.8"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","2","4","6","7","8","9"],"FBI CJIS":["5.10.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294862832" onclick="return openRuleDetailsDialog('idm45662294862832')">Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range" id="rule-overview-leaf-idm45662294857984" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294857984" onclick="return openRuleDetailsDialog('idm45662294857984')">Set Kernel Parameter to Increase Local Port Range</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" id="rule-overview-leaf-idm45662294853984" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040210"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230535r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.2"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"FBI CJIS":["5.10.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294853984" onclick="return openRuleDetailsDialog('idm45662294853984')">Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" id="rule-overview-leaf-idm45662294849072" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5(3)(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","PR.AC-3","PR.DS-4","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000126"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.4"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","2","3","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.04","DSS03.05","DSS05.02","DSS05.03","DSS05.05","DSS05.07","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294849072" onclick="return openRuleDetailsDialog('idm45662294849072')">Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" id="rule-overview-leaf-idm45662294844192" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","PR.DS-4","PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.6"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","2","3","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS05.02","DSS05.05","DSS05.07","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294844192" onclick="return openRuleDetailsDialog('idm45662294844192')">Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" id="rule-overview-leaf-idm45662294839264" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.7"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","2","4","6","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294839264" onclick="return openRuleDetailsDialog('idm45662294839264')">Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" id="rule-overview-leaf-idm45662294834368" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001503","CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.3"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294834368" onclick="return openRuleDetailsDialog('idm45662294834368')">Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" id="rule-overview-leaf-idm45662294829456" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5","CM-6(a)","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040240"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230538r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.1"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294829456" onclick="return openRuleDetailsDialog('idm45662294829456')">Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337" id="rule-overview-leaf-idm45662294824544" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294824544" onclick="return openRuleDetailsDialog('idm45662294824544')">Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" id="rule-overview-leaf-idm45662294814256" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040285"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230549r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.7"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","2","4","6","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294814256" onclick="return openRuleDetailsDialog('idm45662294814256')">Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_host_parameters" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network_host_parameters" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-kernel"><td colspan="3" style="padding-left: 76px">Network Parameters for Hosts Only<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network_host_parameters");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" id="rule-overview-leaf-idm45662294809392" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5","CM-6(a)","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040270"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230543r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.1.2"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"FBI CJIS":["5.10.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294809392" onclick="return openRuleDetailsDialog('idm45662294809392')">Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" id="rule-overview-leaf-idm45662294805360" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5","CM-6(a)","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040220"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230536r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.1.2"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"FBI CJIS":["5.10.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294805360" onclick="return openRuleDetailsDialog('idm45662294805360')">Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" id="rule-overview-leaf-idm45662294801344" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5","CM-6(a)","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","PR.DS-4","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040260"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230540r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.1.1"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","2","3","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS05.02","DSS05.05","DSS05.07","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294801344" onclick="return openRuleDetailsDialog('idm45662294801344')">Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-ipv6" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-ipv6" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">IPv6<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-ipv6");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configuring_ipv6" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_configuring_ipv6" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-ipv6"><td colspan="3" style="padding-left: 76px">Configure IPv6 Settings if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_configuring_ipv6");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" id="rule-overview-leaf-idm45662294785744" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040210"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230535r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.2"],"https://www.cisecurity.org/controls/":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294785744" onclick="return openRuleDetailsDialog('idm45662294785744')">Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref" id="rule-overview-leaf-idm45662294780832" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294780832" onclick="return openRuleDetailsDialog('idm45662294780832')">Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses" id="rule-overview-leaf-idm45662294775920" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294775920" onclick="return openRuleDetailsDialog('idm45662294775920')">Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route" id="rule-overview-leaf-idm45662294765584" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","ID.AM-3","PR.AC-5","PR.DS-5","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040250"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230539r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.1"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","4","6","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","DSS01.05","DSS03.01","DSS05.02","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294765584" onclick="return openRuleDetailsDialog('idm45662294765584')">Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations" id="rule-overview-leaf-idm45662294758592" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294758592" onclick="return openRuleDetailsDialog('idm45662294758592')">Configure Denying Router Solicitations on All IPv6 Interfaces By Default</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" id="rule-overview-leaf-idm45662294753664" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","ID.AM-3","PR.AC-5","PR.DS-5","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040240"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230538r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.1"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","4","6","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","DSS01.05","DSS03.01","DSS05.02","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294753664" onclick="return openRuleDetailsDialog('idm45662294753664')">Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf" id="rule-overview-leaf-idm45662294746048" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294746048" onclick="return openRuleDetailsDialog('idm45662294746048')">Configure Auto Configuration on All IPv6 Interfaces By Default</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo" id="rule-overview-leaf-idm45662294741168" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294741168" onclick="return openRuleDetailsDialog('idm45662294741168')">Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf" id="rule-overview-leaf-idm45662294734208" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294734208" onclick="return openRuleDetailsDialog('idm45662294734208')">Configure Auto Configuration on All IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr" id="rule-overview-leaf-idm45662294729344" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294729344" onclick="return openRuleDetailsDialog('idm45662294729344')">Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses" id="rule-overview-leaf-idm45662294724432" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294724432" onclick="return openRuleDetailsDialog('idm45662294724432')">Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo" id="rule-overview-leaf-idm45662294719536" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294719536" onclick="return openRuleDetailsDialog('idm45662294719536')">Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" id="rule-overview-leaf-idm45662294714624" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294714624" onclick="return openRuleDetailsDialog('idm45662294714624')">Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" id="rule-overview-leaf-idm45662294709696" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040280"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230544r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.3.2"],"https://www.cisecurity.org/controls/":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294709696" onclick="return openRuleDetailsDialog('idm45662294709696')">Disable Accepting ICMP Redirects for All IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations" id="rule-overview-leaf-idm45662294702080" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294702080" onclick="return openRuleDetailsDialog('idm45662294702080')">Configure Denying Router Solicitations on All IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr" id="rule-overview-leaf-idm45662294697168" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294697168" onclick="return openRuleDetailsDialog('idm45662294697168')">Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_logging" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_logging" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Configure Syslog</strong> <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_log_rotation" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_log_rotation" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px">Ensure All Logs are Rotated by logrotate<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_log_rotation");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_logrotate_activated" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_logrotate_activated" id="rule-overview-leaf-idm45662294650352" data-tt-parent-id="xccdf_org.ssgproject.content_group_log_rotation" data-references='{"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R43)","NT12(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.3"],"https://www.cisecurity.org/controls/":["1","14","15","16","3","5","6"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9"],"https://www.isaca.org/resources/cobit":["APO11.04","BAI03.05","DSS05.04","DSS05.07","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1"],"PCI-DSS Requirement":["Req-10.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294650352" onclick="return openRuleDetailsDialog('idm45662294650352')">Ensure Logrotate Runs Periodically</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px"><strong>Rsyslog Logs Sent To Remote Host</strong> <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" id="rule-overview-leaf-idm45662294646352" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-references='{"":["0988","1405","SRG-OS-000032-VMM-000130"],"NIST SP 800-53":["CM-6(a)","AU-4(1)","AU-9(2)"],"ANSSI":["BP28(R7)","NT28(R43)","NT12(R5)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001348","CCI-000136","CCI-001851"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000479-GPOS-00224","SRG-OS-000480-GPOS-00227","SRG-OS-000342-GPOS-00133"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-030690"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230479r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.2.1.5"],"https://www.cisecurity.org/controls/":["1","13","14","15","16","2","3","5","6"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(5)(ii)(B)","164.308(a)(5)(ii)(C)","164.308(a)(6)(ii)","164.308(a)(8)","164.310(d)(2)(iii)","164.312(b)","164.314(a)(2)(i)(C)","164.314(a)(2)(iii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 7.1","SR 7.2"],"https://www.isaca.org/resources/cobit":["APO11.04","APO13.01","BAI03.05","BAI04.04","DSS05.04","DSS05.07","MEA02.01"],"ISO 27001-2013":["A.12.1.3","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.17.2.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294646352" onclick="return openRuleDetailsDialog('idm45662294646352')">Ensure Logs Sent To Remote Host</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_remote_tls" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45662294642368" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-references='{"":["0988","1405"],"NIST SP 800-53":["AU-9(3)","CM-6(a)"],"ANSSI":["BP28(R43)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227","SRG-OS-000120-GPOS-00061"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FCS_TLSC_EXT.1","FTP_ITC_EXT.1.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294642368" onclick="return openRuleDetailsDialog('idm45662294642368')">Configure TLS for rsyslog remote logging</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45662294638400" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-references='{"":["0988","1405"],"ANSSI":["BP28(R43)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FCS_TLSC_EXT.1","FTP_ITC_EXT.1.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294638400" onclick="return openRuleDetailsDialog('idm45662294638400')">Configure CA certificate for rsyslog remote logging</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px">Ensure Proper Configuration of Log Files<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" id="rule-overview-leaf-idm45662294616640" data-tt-parent-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-references='{"":["0988","1405"],"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R46)","BP28(R5)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001314"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-10.5.1","Req-10.5.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294616640" onclick="return openRuleDetailsDialog('idm45662294616640')">Ensure Log Files Are Owned By Appropriate Group</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" id="rule-overview-leaf-idm45662294612640" data-tt-parent-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-references='{"":["0988","1405"],"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R46)","BP28(R5)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001314"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-10.5.1","Req-10.5.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294612640" onclick="return openRuleDetailsDialog('idm45662294612640')">Ensure Log Files Are Owned By Appropriate User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_permissions" id="rule-overview-leaf-idm45662294608656" data-tt-parent-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-references='{"":["0988","1405"],"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://public.cyber.mil/stigs/cci/":["CCI-001314"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.2.1.3"],"PCI-DSS Requirement":["Req-10.5.1","Req-10.5.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294608656" onclick="return openRuleDetailsDialog('idm45662294608656')">Ensure System Log Files Have Correct Permissions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed" id="rule-overview-leaf-idm45662294664400" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging" data-references='{"ANSSI":["BP28(R43)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227","SRG-OS-000120-GPOS-00061"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-030680"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230478r627750_rule"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FTP_ITC_EXT.1.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662294664400" onclick="return openRuleDetailsDialog('idm45662294664400')">Ensure rsyslog-gnutls is installed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsyslog_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsyslog_installed" id="rule-overview-leaf-idm45662294660400" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging" data-references='{"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R5)","NT28(R46)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001311","CCI-001312","CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000479-GPOS-00224","SRG-OS-000051-GPOS-00024","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-030670"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230477r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.2.1.1"],"https://www.cisecurity.org/controls/":["1","14","15","16","3","5","6"],"HIPAA":["164.312(a)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9"],"https://www.isaca.org/resources/cobit":["APO11.04","BAI03.05","DSS05.04","DSS05.07","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662294660400" onclick="return openRuleDetailsDialog('idm45662294660400')">Ensure rsyslog is Installed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="rule-overview-leaf-idm45662294656400" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging" data-references='{"NIST SP 800-53":["CM-6(a)","AU-4(1)"],"ANSSI":["BP28(R5)","NT28(R46)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.DS-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001311","CCI-001312","CCI-001557","CCI-001851","CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010561"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230298r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.2.1.2"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","2","3","5","6","7","8","9"],"HIPAA":["164.312(a)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1","SR 6.2","SR 7.1","SR 7.2"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO13.01","BAI03.05","BAI04.04","DSS01.03","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.12.1.3","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.14.2.7","A.15.2.1","A.15.2.2","A.17.2.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662294656400" onclick="return openRuleDetailsDialog('idm45662294656400')">Enable rsyslog Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_permissions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_permissions" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>File Permissions and Masks</strong> <span class="badge">2x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_files" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_files" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px"><strong>Verify Permissions on Important Files and >Directories</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_permissions_important_account_files" data-tt-parent-id="xccdf_org.ssgproject.content_group_files"><td colspan="3" style="padding-left: 76px">Verify Permissions on Files with Local Account Information and Credentials<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_permissions_important_account_files");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow" id="rule-overview-leaf-idm45662294556272" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.5"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294556272" onclick="return openRuleDetailsDialog('idm45662294556272')">Verify Permissions on gshadow File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_etc_group" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_group" id="rule-overview-leaf-idm45662294549568" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.4"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"FBI CJIS":["5.5.2.2"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-8.7.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294549568" onclick="return openRuleDetailsDialog('idm45662294549568')">Verify Permissions on group File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow" id="rule-overview-leaf-idm45662294542864" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.3"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"FBI CJIS":["5.5.2.2"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-8.7.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294542864" onclick="return openRuleDetailsDialog('idm45662294542864')">Verify Permissions on shadow File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow" id="rule-overview-leaf-idm45662294536160" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.5"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294536160" onclick="return openRuleDetailsDialog('idm45662294536160')">Verify User Who Owns gshadow File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_owner_etc_shadow" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_owner_etc_shadow" id="rule-overview-leaf-idm45662294513248" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.3"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"FBI CJIS":["5.5.2.2"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-8.7.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294513248" onclick="return openRuleDetailsDialog('idm45662294513248')">Verify User Who Owns shadow File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd" id="rule-overview-leaf-idm45662294498464" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.2"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"FBI CJIS":["5.5.2.2"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-8.7.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294498464" onclick="return openRuleDetailsDialog('idm45662294498464')">Verify Permissions on passwd File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks" id="rule-overview-leaf-idm45662294604656" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R23)"],"https://public.cyber.mil/stigs/cci/":["CCI-002165"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000324-GPOS-00125"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010373"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230267r627750_rule"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294604656" onclick="return openRuleDetailsDialog('idm45662294604656')">Enable Kernel Parameter to Enforce DAC on Symlinks</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45662294595248" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"ANSSI":["BP28(R40)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010700"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230318r627750_rule"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294595248" onclick="return openRuleDetailsDialog('idm45662294595248')">Ensure All World-Writable Directories Are Owned by root user</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks" id="rule-overview-leaf-idm45662294591248" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R23)"],"https://public.cyber.mil/stigs/cci/":["CCI-002165"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000324-GPOS-00125"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010374"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230268r627750_rule"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294591248" onclick="return openRuleDetailsDialog('idm45662294591248')">Enable Kernel Parameter to Enforce DAC on Hardlinks</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid" id="rule-overview-leaf-idm45662294587248" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R37)","BP28(R38)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.14"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294587248" onclick="return openRuleDetailsDialog('idm45662294587248')">Ensure All SGID Executables Are Authorized</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid" id="rule-overview-leaf-idm45662294583248" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R37)","BP28(R38)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.13"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294583248" onclick="return openRuleDetailsDialog('idm45662294583248')">Ensure All SUID Executables Are Authorized</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" id="rule-overview-leaf-idm45662294579248" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R40)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001090"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000138-GPOS-00069"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010190"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230243r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.21"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294579248" onclick="return openRuleDetailsDialog('idm45662294579248')">Verify that All World-Writable Directories Have Sticky Bits Set</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" id="rule-overview-leaf-idm45662294575248" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R40)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.10"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294575248" onclick="return openRuleDetailsDialog('idm45662294575248')">Ensure No World-Writable Files Exist</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_partitions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_partitions" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px">Restrict Partition Mount Options<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_partitions");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_nosuid" id="rule-overview-leaf-idm45662294432064" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294432064" onclick="return openRuleDetailsDialog('idm45662294432064')">Add nosuid Option to /var</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec" id="rule-overview-leaf-idm45662294425376" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"ANSSI":["BP28(R12)"],"https://public.cyber.mil/stigs/cci/":["CCI-001764"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040134"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230522r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.10"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294425376" onclick="return openRuleDetailsDialog('idm45662294425376')">Add noexec Option to /var/tmp</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_home_noexec" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_home_noexec" id="rule-overview-leaf-idm45662294413248" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294413248" onclick="return openRuleDetailsDialog('idm45662294413248')">Add noexec Option to /home</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_noexec" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_noexec" id="rule-overview-leaf-idm45662294406560" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294406560" onclick="return openRuleDetailsDialog('idm45662294406560')">Add noexec Option to /var</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_boot_noexec" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_boot_noexec" id="rule-overview-leaf-idm45662294399872" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294399872" onclick="return openRuleDetailsDialog('idm45662294399872')">Add noexec Option to /boot</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid" id="rule-overview-leaf-idm45662294387776" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001764"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040127"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230515r627750_rule"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294387776" onclick="return openRuleDetailsDialog('idm45662294387776')">Add nosuid Option to /var/log</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid" id="rule-overview-leaf-idm45662294379008" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294379008" onclick="return openRuleDetailsDialog('idm45662294379008')">Add nosuid Option to /opt</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid" id="rule-overview-leaf-idm45662294369600" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010571"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230300r627750_rule"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294369600" onclick="return openRuleDetailsDialog('idm45662294369600')">Add nosuid Option to /boot</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec" id="rule-overview-leaf-idm45662294365616" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001764"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040128"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230516r627750_rule"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294365616" onclick="return openRuleDetailsDialog('idm45662294365616')">Add noexec Option to /var/log</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" id="rule-overview-leaf-idm45662294358912" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001764"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040125"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230513r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.5"],"https://www.cisecurity.org/controls/":["11","13","14","3","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS05.06","DSS06.06"],"ISO 27001-2013":["A.11.2.9","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.8.2.1","A.8.2.2","A.8.2.3","A.8.3.1","A.8.3.3","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294358912" onclick="return openRuleDetailsDialog('idm45662294358912')">Add noexec Option to /tmp</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" id="rule-overview-leaf-idm45662294354928" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001764"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040124"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230512r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.4"],"https://www.cisecurity.org/controls/":["11","13","14","3","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS05.06","DSS06.06"],"ISO 27001-2013":["A.11.2.9","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.8.2.1","A.8.2.2","A.8.2.3","A.8.3.1","A.8.3.3","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294354928" onclick="return openRuleDetailsDialog('idm45662294354928')">Add nosuid Option to /tmp</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid" id="rule-overview-leaf-idm45662294350944" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"ANSSI":["BP28(R12)"],"https://public.cyber.mil/stigs/cci/":["CCI-001764"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040133"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230521r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.9"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294350944" onclick="return openRuleDetailsDialog('idm45662294350944')">Add nosuid Option to /var/tmp</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" id="rule-overview-leaf-idm45662294341520" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010570"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230299r627750_rule"],"https://www.cisecurity.org/controls/":["11","13","14","3","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS05.06","DSS06.06"],"ISO 27001-2013":["A.11.2.9","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.8.2.1","A.8.2.2","A.8.2.3","A.8.3.1","A.8.3.3","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294341520" onclick="return openRuleDetailsDialog('idm45662294341520')">Add nosuid Option to /home</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions" id="rule-overview-leaf-idm45662294334832" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010580"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230301r627750_rule"],"https://www.cisecurity.org/controls/":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294334832" onclick="return openRuleDetailsDialog('idm45662294334832')">Add nodev Option to Non-Root Local Partitions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid" id="rule-overview-leaf-idm45662294330800" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294330800" onclick="return openRuleDetailsDialog('idm45662294330800')">Add nosuid Option to /srv</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px"><strong>Restrict Programs from Dangerous Execution Patterns</strong> <span class="badge">1x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_enable_nx" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_enable_nx" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions"><td colspan="3" style="padding-left: 76px"><strong>Enable Execute Disable (XD) or No Execute (NX) Support on >x86 Systems</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions" id="rule-overview-leaf-idm45662294277328" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_nx" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["SC-39","CM-6(a)"],"ANSSI":["BP28(R9)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://www.cisecurity.org/controls/":["11","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294277328" onclick="return openRuleDetailsDialog('idm45662294277328')">Enable NX or XD Support in the BIOS</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32" id="rule-overview-leaf-idm45662294273984" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_nx" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R9)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://www.cisecurity.org/controls/":["11","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294273984" onclick="return openRuleDetailsDialog('idm45662294273984')">Install PAE Kernel on Supported 32-bit x86 Systems</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_enable_execshield_settings" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions"><td colspan="3" style="padding-left: 76px">Enable ExecShield<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_enable_execshield_settings");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" id="rule-overview-leaf-idm45662294269984" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["SC-30","SC-30(2)","CM-6(a)"],"ANSSI":["BP28(R23)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-002824"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000433-GPOS-00193","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010430"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230280r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.6.2"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294269984" onclick="return openRuleDetailsDialog('idm45662294269984')">Enable Randomized Layout of Virtual Address Space</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" id="rule-overview-leaf-idm45662294265984" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" data-references='{"NIST SP 800-53":["SC-30","SC-30(2)","SC-30(5)","CM-6(a)"],"ANSSI":["BP28(R23)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067","SRG-OS-000433-GPOS-00192","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040283"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230547r627750_rule"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294265984" onclick="return openRuleDetailsDialog('idm45662294265984')">Restrict Exposed Kernel Pointer Addresses Access</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" id="rule-overview-leaf-idm45662294261984" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["SC-39","CM-6(a)"],"ANSSI":["BP28(R9)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-002530"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000433-GPOS-00192"],"https://www.cisecurity.org/controls/":["12","15","8"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","DSS05.02"],"ISO 27001-2013":["A.13.1.1","A.13.2.1","A.14.1.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294261984" onclick="return openRuleDetailsDialog('idm45662294261984')">Enable ExecShield via sysctl</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_coredumps" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_coredumps" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions"><td colspan="3" style="padding-left: 76px">Disable Core Dumps<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_coredumps");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable" id="rule-overview-leaf-idm45662294245120" data-tt-parent-id="xccdf_org.ssgproject.content_group_coredumps" data-references='{"NIST SP 800-53":["SI-11(a)","SI-11(b)"],"ANSSI":["BP28(R23)"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.6.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294245120" onclick="return openRuleDetailsDialog('idm45662294245120')">Disable Core Dumps for SUID programs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_cpu_time_max_percent" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_cpu_time_max_percent" id="rule-overview-leaf-idm45662294324112" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"ANSSI":["BP28(R23)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294324112" onclick="return openRuleDetailsDialog('idm45662294324112')">Limit CPU consumption of the Perf system</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_modules_disabled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45662294320096" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"ANSSI":["BP28(R24)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294320096" onclick="return openRuleDetailsDialog('idm45662294320096')">Disable loading and unloading of kernel modules</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" id="rule-overview-leaf-idm45662294316096" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"NIST SP 800-171":["3.1.5"],"NIST SP 800-53":["SI-11(a)","SI-11(b)"],"ANSSI":["BP28(R23)"],"https://public.cyber.mil/stigs/cci/":["CCI-001314"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067","SRG-OS-000138-GPOS-00069"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010375"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230269r627750_rule"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294316096" onclick="return openRuleDetailsDialog('idm45662294316096')">Restrict Access to Kernel Message Buffer</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_sysrq" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_sysrq" id="rule-overview-leaf-idm45662294306672" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"ANSSI":["BP28(R23)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294306672" onclick="return openRuleDetailsDialog('idm45662294306672')">Disallow magic SysRq key</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_pid_max" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_pid_max" id="rule-overview-leaf-idm45662294302704" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"ANSSI":["BP28(R23)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294302704" onclick="return openRuleDetailsDialog('idm45662294302704')">Configure maximum number of process identifiers</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" id="rule-overview-leaf-idm45662294296032" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"ANSSI":["BP28(R25)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040282"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230546r627750_rule"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294296032" onclick="return openRuleDetailsDialog('idm45662294296032')">Restrict usage of ptrace to descendant processes</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_max_sample_rate" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_max_sample_rate" id="rule-overview-leaf-idm45662294289328" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"ANSSI":["BP28(R23)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294289328" onclick="return openRuleDetailsDialog('idm45662294289328')">Limit sampling frequency of the Perf system</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid" id="rule-overview-leaf-idm45662294285312" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"ANSSI":["BP28(R23)"],"https://public.cyber.mil/stigs/cci/":["CCI-001090"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067","SRG-OS-000138-GPOS-00069"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010376"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230270r627750_rule"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294285312" onclick="return openRuleDetailsDialog('idm45662294285312')">Disallow kernel profiling by unprivileged users</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_vm_mmap_min_addr" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_vm_mmap_min_addr" id="rule-overview-leaf-idm45662294281312" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"ANSSI":["BP28(R23)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294281312" onclick="return openRuleDetailsDialog('idm45662294281312')">Prevent applications from mapping low portion of virtual memory</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_bootloader-grub2" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>GRUB2 bootloader configuration</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_non-uefi" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_non-uefi" data-tt-parent-id="xccdf_org.ssgproject.content_group_bootloader-grub2"><td colspan="3" style="padding-left: 57px"><strong>Non-UEFI GRUB2 bootloader configuration</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_password" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45662294213488" data-tt-parent-id="xccdf_org.ssgproject.content_group_non-uefi" data-references='{"NIST SP 800-171":["3.4.5"],"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R17)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000213"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000080-GPOS-00048"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010150"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230235r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.5.2"],"https://www.cisecurity.org/controls/":["1","11","12","14","15","16","18","3","5"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7"],"https://www.isaca.org/resources/cobit":["DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.06","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294213488" onclick="return openRuleDetailsDialog('idm45662294213488')">Set Boot Loader Password in grub2</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_uefi" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_uefi" data-tt-parent-id="xccdf_org.ssgproject.content_group_bootloader-grub2"><td colspan="3" style="padding-left: 57px">UEFI GRUB2 bootloader configuration<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_uefi");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_uefi_password" class="rule-overview-leaf rule-overview-leaf-notapplicable rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_grub2_uefi_password" id="rule-overview-leaf-idm45662294195872" data-tt-parent-id="xccdf_org.ssgproject.content_group_uefi" data-references='{"NIST SP 800-171":["3.4.5"],"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R17)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.AC-6","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000213"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000080-GPOS-00048"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010140"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230234r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.5.2"],"https://www.cisecurity.org/controls/":["11","12","14","15","16","18","3","5"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7"],"https://www.isaca.org/resources/cobit":["DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.03","DSS06.06"],"ISO 27001-2013":["A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294195872" onclick="return openRuleDetailsDialog('idm45662294195872')">Set the UEFI Boot Loader Password</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-notapplicable"><div><abbr title="The Rule was not applicable to the target of the test. For example, the Rule might have been specific to a different version of the target OS, or it might have been a test against a platform feature that was not installed.">notapplicable</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force" id="rule-overview-leaf-idm45662294233024" data-tt-parent-id="xccdf_org.ssgproject.content_group_bootloader-grub2" data-references='{"ANSSI":["BP28(R11)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662294233024" onclick="return openRuleDetailsDialog('idm45662294233024')">IOMMU configuration directive</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_selinux" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_selinux" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>SELinux</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_selinux-booleans" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_selinux-booleans" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux"><td colspan="3" style="padding-left: 57px"><strong>SELinux - Booleans</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sebool_deny_execmem" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45662293988928" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux-booleans" data-references='{"ANSSI":["BP28(R67)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293988928" onclick="return openRuleDetailsDialog('idm45662293988928')">Enable the deny_execmem SELinux Boolean</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sebool_secure_mode_insmod" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sebool_secure_mode_insmod" id="rule-overview-leaf-idm45662293692272" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux-booleans" data-references='{"ANSSI":["BP28(R67)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293692272" onclick="return openRuleDetailsDialog('idm45662293692272')">Disable the secure_mode_insmod SELinux Boolean</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap" id="rule-overview-leaf-idm45662293648208" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux-booleans" data-references='{"ANSSI":["BP28(R67)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293648208" onclick="return openRuleDetailsDialog('idm45662293648208')">Disable the selinuxuser_execheap SELinux Boolean</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sebool_polyinstantiation_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sebool_polyinstantiation_enabled" id="rule-overview-leaf-idm45662293611760" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux-booleans" data-references='{"ANSSI":["BP28(R39)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293611760" onclick="return openRuleDetailsDialog('idm45662293611760')">Disable the polyinstantiation_enabled SELinux Boolean</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execstack" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execstack" id="rule-overview-leaf-idm45662293604848" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux-booleans" data-references='{"ANSSI":["BP28(R67)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293604848" onclick="return openRuleDetailsDialog('idm45662293604848')">disable the selinuxuser_execstack SELinux Boolean</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sebool_ssh_sysadm_login" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sebool_ssh_sysadm_login" id="rule-overview-leaf-idm45662293536848" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux-booleans" data-references='{"ANSSI":["BP28(R67)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293536848" onclick="return openRuleDetailsDialog('idm45662293536848')">Disable the ssh_sysadm_login SELinux Boolean</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_setroubleshoot-plugins_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_setroubleshoot-plugins_removed" id="rule-overview-leaf-idm45662294161408" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"ANSSI":["BP28(R68)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662294161408" onclick="return openRuleDetailsDialog('idm45662294161408')">Uninstall setroubleshoot-plugins Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_setroubleshoot-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_setroubleshoot-server_removed" id="rule-overview-leaf-idm45662294157392" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"ANSSI":["BP28(R68)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662294157392" onclick="return openRuleDetailsDialog('idm45662294157392')">Uninstall setroubleshoot-server Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed" id="rule-overview-leaf-idm45662294153392" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"ANSSI":["BP28(R68)"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.7.1.6"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662294153392" onclick="return openRuleDetailsDialog('idm45662294153392')">Uninstall setroubleshoot Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_policytype" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_selinux_policytype" id="rule-overview-leaf-idm45662294149392" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"":["SRG-OS-000445-VMM-001780"],"NIST SP 800-171":["3.1.2","3.7.2"],"NIST SP 800-53":["AC-3","AC-3(3)(a)","AU-9","SC-7(21)"],"ANSSI":["BP28(R66)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","ID.AM-3","PR.AC-4","PR.AC-5","PR.AC-6","PR.DS-5","PR.PT-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-002165","CCI-002696"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000445-GPOS-00199"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010450"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230282r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.7.1.3"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","3","4","5","6","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.2.2","4.3.3.3.9","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.10","SR 2.11","SR 2.12","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO11.04","APO13.01","BAI03.05","DSS01.05","DSS03.01","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.03","DSS06.06","MEA02.01"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662294149392" onclick="return openRuleDetailsDialog('idm45662294149392')">Configure SELinux Policy</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_state" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_selinux_state" id="rule-overview-leaf-idm45662294132368" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"":["SRG-OS-000445-VMM-001780"],"NIST SP 800-171":["3.1.2","3.7.2"],"NIST SP 800-53":["AC-3","AC-3(3)(a)","AU-9","SC-7(21)"],"ANSSI":["BP28(R4)","BP28(R66)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","ID.AM-3","PR.AC-4","PR.AC-5","PR.AC-6","PR.DS-5","PR.PT-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-002165","CCI-002696"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000445-GPOS-00199"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010170"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230240r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.7.1.4"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","3","4","5","6","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.2.2","4.3.3.3.9","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.10","SR 2.11","SR 2.12","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO11.04","APO13.01","BAI03.05","DSS01.05","DSS03.01","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.03","DSS06.06","MEA02.01"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662294132368" onclick="return openRuleDetailsDialog('idm45662294132368')">Ensure SELinux State is Enforcing</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_services" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_services" data-tt-parent-id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><td colspan="3" style="padding-left: 19px">Services<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_services");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mail" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Mail Server Software<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_mail");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_client" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client" data-tt-parent-id="xccdf_org.ssgproject.content_group_mail"><td colspan="3" style="padding-left: 57px">Configure SMTP For Mail Clients<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_postfix_client");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias" id="rule-overview-leaf-idm45662293434656" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_client" data-references='{"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R49)"],"https://public.cyber.mil/stigs/cci/":["CCI-000139","CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000046-GPOS-00022"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-030030"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230389r627750_rule"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293434656" onclick="return openRuleDetailsDialog('idm45662293434656')">Configure System to Forward All Mail For The Root Account</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled" id="rule-overview-leaf-idm45662293429808" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_client" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R48)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000382"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.2.18"],"https://www.cisecurity.org/controls/":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293429808" onclick="return openRuleDetailsDialog('idm45662293429808')">Disable Postfix Network Listening</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_sendmail_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_sendmail_removed" id="rule-overview-leaf-idm45662293442768" data-tt-parent-id="xccdf_org.ssgproject.content_group_mail" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000381"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227","SRG-OS-000095-GPOS-00049"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040002"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230489r627750_rule"],"https://www.cisecurity.org/controls/":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662293442768" onclick="return openRuleDetailsDialog('idm45662293442768')">Uninstall Sendmail Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ssh" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ssh" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">SSH Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ssh");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ssh_server" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh"><td colspan="3" style="padding-left: 57px">Configure OpenSSH Server if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ssh_server");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_root_login" id="rule-overview-leaf-idm45662293182000" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["AC-6(2)","AC-17(a)","IA-2","IA-2(5)","CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R19)","NT007(R21)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.DS-5","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-000770"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000109-GPOS-00056","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010550"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230296r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.10"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","3","5"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.02","DSS06.03","DSS06.06","DSS06.10"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.18.1.4","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293182000" onclick="return openRuleDetailsDialog('idm45662293182000')">Disable SSH Root Login</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" id="rule-overview-leaf-idm45662293153536" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.11"],"NIST SP 800-53":["CM-6(a)","AC-17(a)","AC-2(5)","AC-12","AC-17(a)","SC-10","CM-6(a)"],"ANSSI":["BP28(R29)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.IP-2"],"https://public.cyber.mil/stigs/cci/":["CCI-000879","CCI-001133","CCI-002361"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000126-GPOS-00066","SRG-OS-000163-GPOS-00072","SRG-OS-000279-GPOS-00109","SRG-OS-000395-GPOS-00175"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010200"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230244r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.13"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","3","5","7","8"],"FBI CJIS":["5.5.6"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 6.2"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI03.01","BAI03.02","BAI03.03","DSS01.03","DSS03.05","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.12.4.1","A.12.4.3","A.14.1.1","A.14.2.1","A.14.2.5","A.18.1.4","A.6.1.2","A.6.1.5","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-8.1.8"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293153536" onclick="return openRuleDetailsDialog('idm45662293153536')">Set SSH Idle Timeout Interval</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive" id="rule-overview-leaf-idm45662293114672" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.11"],"NIST SP 800-53":["AC-2(5)","AC-12","AC-17(a)","SC-10","CM-6(a)"],"ANSSI":["BP28(R29)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.IP-2"],"https://public.cyber.mil/stigs/cci/":["CCI-000879","CCI-001133","CCI-002361"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000163-GPOS-00072","SRG-OS-000279-GPOS-00109"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.13"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","3","5","7","8"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 6.2"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI03.01","BAI03.02","BAI03.03","DSS01.03","DSS03.05","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.12.4.1","A.12.4.3","A.14.1.1","A.14.2.1","A.14.2.5","A.18.1.4","A.6.1.2","A.6.1.5","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-8.1.8"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293114672" onclick="return openRuleDetailsDialog('idm45662293114672')">Set SSH Client Alive Count Max</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" id="rule-overview-leaf-idm45662293233344" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh" data-references='{"NIST SP 800-171":["3.1.13","3.13.10"],"NIST SP 800-53":["AC-17(a)","CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010490"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230287r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.3"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662293233344" onclick="return openRuleDetailsDialog('idm45662293233344')">Verify Permissions on SSH Server Private *_key Key Files</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ntp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ntp" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Network Time Protocol<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ntp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_chrony_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_chrony_installed" id="rule-overview-leaf-idm45662292904944" data-tt-parent-id="xccdf_org.ssgproject.content_group_ntp" data-references='{"":["0988","1405"],"ANSSI":["BP28(R43)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000355-GPOS-00143"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.2.1.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662292904944" onclick="return openRuleDetailsDialog('idm45662292904944')">The Chrony package is installed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server" id="rule-overview-leaf-idm45662292879888" data-tt-parent-id="xccdf_org.ssgproject.content_group_ntp" data-references='{"":["0988","1405"],"ANSSI":["BP28(R43)"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.2.1.2"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662292879888" onclick="return openRuleDetailsDialog('idm45662292879888')">A remote time server for Chrony is configured</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_obsolete" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Obsolete Services<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_obsolete");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_r_services" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Rlogin, Rsh, and Rexec<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_r_services");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed" id="rule-overview-leaf-idm45662292836352" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","IA-5(1)(c)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000381"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040010"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230492r627750_rule"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292836352" onclick="return openRuleDetailsDialog('idm45662292836352')">Uninstall rsh-server Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed" id="rule-overview-leaf-idm45662292832352" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"NIST SP 800-171":["3.1.13"],"ANSSI":["BP28(R1)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"ISO 27001-2013":["A.8.2.3","A.13.1.1","A.13.2.1","A.13.2.3","A.14.1.2","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292832352" onclick="return openRuleDetailsDialog('idm45662292832352')">Uninstall rsh Package</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nis" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">NIS<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_nis");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ypbind_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_ypbind_removed" id="rule-overview-leaf-idm45662292812208" data-tt-parent-id="xccdf_org.ssgproject.content_group_nis" data-references='{"ANSSI":["BP28(R1)"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.3.1"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292812208" onclick="return openRuleDetailsDialog('idm45662292812208')">Remove NIS Client</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ypserv_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_ypserv_removed" id="rule-overview-leaf-idm45662292808224" data-tt-parent-id="xccdf_org.ssgproject.content_group_nis" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","IA-5(1)(c)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000381"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.2.17"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292808224" onclick="return openRuleDetailsDialog('idm45662292808224')">Uninstall ypserv Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_telnet" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_telnet" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Telnet<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_telnet");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed" id="rule-overview-leaf-idm45662292801536" data-tt-parent-id="xccdf_org.ssgproject.content_group_telnet" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000381"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040000"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230487r627750_rule"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292801536" onclick="return openRuleDetailsDialog('idm45662292801536')">Uninstall telnet-server Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed" id="rule-overview-leaf-idm45662292797536" data-tt-parent-id="xccdf_org.ssgproject.content_group_telnet" data-references='{"NIST SP 800-171":["3.1.13"],"ANSSI":["BP28(R1)"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.3.2"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"ISO 27001-2013":["A.8.2.3","A.13.1.1","A.13.2.1","A.13.2.3","A.14.1.2","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292797536" onclick="return openRuleDetailsDialog('idm45662292797536')">Remove telnet Clients</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Xinetd<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_inetd_and_xinetd");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_xinetd_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_xinetd_removed" id="rule-overview-leaf-idm45662292790848" data-tt-parent-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000305"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.1.1"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292790848" onclick="return openRuleDetailsDialog('idm45662292790848')">Uninstall xinetd Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_talk" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Chat/Messaging Services<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_talk");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_talk-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_talk-server_removed" id="rule-overview-leaf-idm45662292784160" data-tt-parent-id="xccdf_org.ssgproject.content_group_talk" data-references='{"ANSSI":["BP28(R1)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292784160" onclick="return openRuleDetailsDialog('idm45662292784160')">Uninstall talk-server Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_talk_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_talk_removed" id="rule-overview-leaf-idm45662292780160" data-tt-parent-id="xccdf_org.ssgproject.content_group_talk" data-references='{"ANSSI":["BP28(R1)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292780160" onclick="return openRuleDetailsDialog('idm45662292780160')">Uninstall talk Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_tftp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_tftp" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">TFTP Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_tftp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_tftp-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_tftp-server_removed" id="rule-overview-leaf-idm45662292776192" data-tt-parent-id="xccdf_org.ssgproject.content_group_tftp" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000318","CCI-000366","CCI-000368","CCI-001812","CCI-001813","CCI-001814"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040190"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230533r627750_rule"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292776192" onclick="return openRuleDetailsDialog('idm45662292776192')">Uninstall tftp-server Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_tftp_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_tftp_removed" id="rule-overview-leaf-idm45662292772192" data-tt-parent-id="xccdf_org.ssgproject.content_group_tftp" data-references='{"ANSSI":["BP28(R1)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292772192" onclick="return openRuleDetailsDialog('idm45662292772192')">Remove tftp Daemon</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dhcp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_dhcp" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">DHCP<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_dhcp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server" data-tt-parent-id="xccdf_org.ssgproject.content_group_dhcp"><td colspan="3" style="padding-left: 57px">Disable DHCP Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_dhcp_server");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_dhcp_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed" id="rule-overview-leaf-idm45662292762832" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://www.cisecurity.org/controls/":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292762832" onclick="return openRuleDetailsDialog('idm45662292762832')">Uninstall DHCP Server Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr></tbody></table></div><div class="js-only hidden-print"><button type="button" class="btn btn-info" onclick="return toggleResultDetails(this)">Show all result details</button></div><div id="result-details"><h2>Result Details</h2><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_aide_installed" id="rule-detail-idm45662296184064"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install AIDExccdf_org.ssgproject.content_rule_package_aide_installed mediumCCE-80844-4 </div><div class="panel-heading"><h3 class="panel-title">Install AIDE</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_aide_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_aide_installed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80844-4">CCE-80844-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R51)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.4.1</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.3</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI02.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS04.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002699</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001744</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="">1034</a>, <a href="">1288</a>, <a href="">1341</a>, <a href="">1417</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-3</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000363-GPOS-00150</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010360</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230263r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>aide</code> package can be installed with the following command: ><pre> >$ sudo yum install aide</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The AIDE package must be installed if it is to be available for integrity checking.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package aide is installed</span> > <span class="label label-default">oval:ssg-test_package_aide_installed:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>aide</td><td>x86_64</td><td>(none)</td><td>14.el8</td><td>0.16</td><td>0:0.16-14.el8</td><td>199e2f91fd431d51</td><td>aide-0:0.16-14.el8.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="rule-detail-idm45662296180080"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Build and Test AIDE Databasexccdf_org.ssgproject.content_rule_aide_build_database mediumCCE-80675-2 </div><div class="panel-heading"><h3 class="panel-title">Build and Test AIDE Database</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_build_database</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-aide_build_database:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80675-2">CCE-80675-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R51)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.3</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI02.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS04.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-3</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a></p></td></tr><tr><td>Description</td><td><div class="description">Run the following command to generate a new database: ><pre>$ sudo /usr/sbin/aide --init</pre> >By default, the database will be written to the file <code>/var/lib/aide/aide.db.new.gz</code>. >Storing the database, the configuration file <code>/etc/aide.conf</code>, and the binary ><code>/usr/sbin/aide</code> (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. >The newly-generated database can be installed as follows: ><pre>$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz</pre> >To initiate a manual check, run the following command: ><pre>$ sudo /usr/sbin/aide --check</pre> >If this check produces any unexpected output, investigate.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">For AIDE to be effective, an initial database of "known-good" information about files >must be captured and it should be able to be verified against the installed files.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package aide is installed</span> > <span class="label label-default">oval:ssg-test_package_aide_installed:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>aide</td><td>x86_64</td><td>(none)</td><td>14.el8</td><td>0.16</td><td>0:0.16-14.el8</td><td>199e2f91fd431d51</td><td>aide-0:0.16-14.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Testing existence of new aide database file</span> > <span class="label label-default">oval:ssg-test_aide_build_new_database_absolute_path:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/var/lib/aide/aide.db.new.gz</td><td>regular</td><td>0</td><td>0</td><td>7828689</td><td><code>rw------- </code></td></tr></tbody></table><h4><span class="label label-primary">Testing existence of operational aide database file</span> > <span class="label label-default">oval:ssg-test_aide_operational_database_absolute_path:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/var/lib/aide/aide.db.gz</td><td>regular</td><td>0</td><td>0</td><td>7828689</td><td><code>rw------- </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" id="rule-detail-idm45662296176112"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Periodic Execution of AIDExccdf_org.ssgproject.content_rule_aide_periodic_cron_checking mediumCCE-80676-0 </div><div class="panel-heading"><h3 class="panel-title">Configure Periodic Execution of AIDE</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-aide_periodic_cron_checking:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80676-0">CCE-80676-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R51)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.4.2</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.3</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI02.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS04.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001744</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002699</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002702</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-3</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000363-GPOS-00150</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000446-GPOS-00200</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000447-GPOS-00201</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, AIDE should be configured to run a weekly scan. >To implement a daily execution of AIDE at 4:05am using cron, add the following line to <code>/etc/crontab</code>: ><pre>05 4 * * * root /usr/sbin/aide --check</pre> >To implement a weekly execution of AIDE at 4:05am using cron, add the following line to <code>/etc/crontab</code>: ><pre>05 4 * * 0 root /usr/sbin/aide --check</pre> >AIDE can be executed periodically through other means; this is merely one example. >The usage of cron's special time codes, such as <code>@daily</code> and ><code>@weekly</code> is acceptable.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">By default, AIDE does not install itself for periodic execution. Periodically >running AIDE is necessary to reveal unexpected changes in installed files. ><br><br> >Unauthorized changes to the baseline configuration could make the system vulnerable >to various attacks or allow unauthorized access to the operating system. Changes to >operating system configurations can have unintended side effects, some of which may >be relevant to security. ><br><br> >Detecting such changes and providing an automated response can help avoid unintended, >negative consequences that could ultimately affect the security state of the operating >system. The operating system's Information Management Officer (IMO)/Information System >Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or >monitoring system trap when there is an unauthorized modification of a configuration item.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package aide is installed</span> > <span class="label label-default">oval:ssg-test_package_aide_installed:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>aide</td><td>x86_64</td><td>(none)</td><td>14.el8</td><td>0.16</td><td>0:0.16-14.el8</td><td>199e2f91fd431d51</td><td>aide-0:0.16-14.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">run aide with cron</span> > <span class="label label-default">oval:ssg-test_aide_periodic_cron_checking:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/crontab</td><td>05 4 * * * root /usr/sbin/aide --check</td></tr><tr><td>/etc/crontab</td><td>0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost</td></tr></tbody></table><h4><span class="label label-primary">run aide with cron</span> > <span class="label label-default">oval:ssg-test_aide_crond_checking:tst:1</span> > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="run aide with cron">oval:ssg-object_test_aide_crond_checking:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/cron.d</td><td>^.*$</td><td>^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">run aide with cron</span> > <span class="label label-default">oval:ssg-test_aide_var_cron_checking:tst:1</span> > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="run aide with cron">oval:ssg-object_aide_var_cron_checking:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/var/spool/cron/root</td><td>^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*(root)?[\s]*/usr/sbin/aide[\s]*\-\-check.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">run aide with cron.(daily|weekly)</span> > <span class="label label-default">oval:ssg-test_aide_crontabs_checking:tst:1</span> > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="run aide with cron.(daily|weekly)">oval:ssg-object_aide_crontabs_checking:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/cron.(daily|weekly)$</td><td>^.*$</td><td>^\s*/usr/sbin/aide[\s]*\-\-check.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_aide_scan_notification" id="rule-detail-idm45662296172112"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Notification of Post-AIDE Scan Detailsxccdf_org.ssgproject.content_rule_aide_scan_notification mediumCCE-82891-3 </div><div class="panel-heading"><h3 class="panel-title">Configure Notification of Post-AIDE Scan Details</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_scan_notification</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-aide_scan_notification:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82891-3">CCE-82891-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R51)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001744</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002702</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(5)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000363-GPOS-00150</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000447-GPOS-00201</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010360</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230263r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">AIDE should notify appropriate personnel of the details of a scan after the scan has been run. >If AIDE has already been configured for periodic execution in <code>/etc/crontab</code>, append the >following line to the existing AIDE line: ><pre> | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost</pre> >Otherwise, add the following line to <code>/etc/crontab</code>: ><pre>05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost</pre> >AIDE can be executed periodically through other means; this is merely one example.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Unauthorized changes to the baseline configuration could make the system vulnerable >to various attacks or allow unauthorized access to the operating system. Changes to >operating system configurations can have unintended side effects, some of which may >be relevant to security. ><br><br> >Detecting such changes and providing an automated response can help avoid unintended, >negative consequences that could ultimately affect the security state of the operating >system. The operating system's Information Management Officer (IMO)/Information System >Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or >monitoring system trap when there is an unauthorized modification of a configuration item.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package aide is installed</span> > <span class="label label-default">oval:ssg-test_package_aide_installed:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>aide</td><td>x86_64</td><td>(none)</td><td>14.el8</td><td>0.16</td><td>0:0.16-14.el8</td><td>199e2f91fd431d51</td><td>aide-0:0.16-14.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">notify personnel when aide completes</span> > <span class="label label-default">oval:ssg-test_aide_scan_notification:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/crontab</td><td>0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost</td></tr></tbody></table><h4><span class="label label-primary">notify personnel when aide completes</span> > <span class="label label-default">oval:ssg-test_aide_var_cron_notification:tst:1</span> > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="notify personnel when aide completes">oval:ssg-object_aide_var_cron_notification:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/var/spool/cron/root</td><td>^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">notify personnel when aide completes in cron.(daily|weekly|monthly)</span> > <span class="label label-default">oval:ssg-test_aide_crontabs_notification:tst:1</span> > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="notify personnel when aide completes in cron.(d|daily|weekly|monthly)">oval:ssg-object_aide_crontabs_notification:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/cron.(d|daily|weekly|monthly)$</td><td>^.*$</td><td>^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes" id="rule-detail-idm45662296168128"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure AIDE to Verify Extended Attributesxccdf_org.ssgproject.content_rule_aide_verify_ext_attributes lowCCE-83733-6 </div><div class="panel-heading"><h3 class="panel-title">Configure AIDE to Verify Extended Attributes</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-aide_verify_ext_attributes:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83733-6">CCE-83733-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R51)</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040300</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230551r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, the <code>xattrs</code> option is added to the <code>FIPSR</code> ruleset in AIDE. >If using a custom ruleset or the <code>xattrs</code> option is missing, add <code>xattrs</code> >to the appropriate ruleset. >For example, add <code>xattrs</code> to the following line in <code>/etc/aide.conf</code>: ><pre>FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256</pre> >AIDE rules can be configured in multiple ways; this is merely one example that is already >configured by default. > >The remediation provided with this rule adds <code>xattrs</code> to all rule sets available in ><code>/etc/aide.conf</code></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Extended attributes in file systems are used to contain arbitrary data and file metadata >with security implications.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package aide is installed</span> > <span class="label label-default">oval:ssg-test_package_aide_installed:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>aide</td><td>x86_64</td><td>(none)</td><td>14.el8</td><td>0.16</td><td>0:0.16-14.el8</td><td>199e2f91fd431d51</td><td>aide-0:0.16-14.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">xattrs is set in /etc/aide.conf</span> > <span class="label label-default">oval:ssg-test_aide_verify_ext_attributes:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/aide.conf</td><td>DIR = p+i+n+u+g+acl+selinux+xattrs</td></tr><tr><td>/etc/aide.conf</td><td>PERMS = p+u+g+acl+selinux+xattrs</td></tr><tr><td>/etc/aide.conf</td><td>EVERYTHING = R+ALLXTRAHASHES+xattrs+acl</td></tr><tr><td>/etc/aide.conf</td><td>NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512</td></tr><tr><td>/etc/aide.conf</td><td>LOG = p+u+g+n+S+acl+selinux+xattrs</td></tr><tr><td>/etc/aide.conf</td><td>CONTENT = sha512+ftype+xattrs+acl</td></tr><tr><td>/etc/aide.conf</td><td>CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs</td></tr><tr><td>/etc/aide.conf</td><td>DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_aide_verify_acls" id="rule-detail-idm45662296164128"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure AIDE to Verify Access Control Lists (ACLs)xccdf_org.ssgproject.content_rule_aide_verify_acls lowCCE-84220-3 </div><div class="panel-heading"><h3 class="panel-title">Configure AIDE to Verify Access Control Lists (ACLs)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_verify_acls</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-aide_verify_acls:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84220-3">CCE-84220-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R51)</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040310</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230552r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, the <code>acl</code> option is added to the <code>FIPSR</code> ruleset in AIDE. >If using a custom ruleset or the <code>acl</code> option is missing, add <code>acl</code> >to the appropriate ruleset. >For example, add <code>acl</code> to the following line in <code>/etc/aide.conf</code>: ><pre>FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256</pre> >AIDE rules can be configured in multiple ways; this is merely one example that is already >configured by default. > >The remediation provided with this rule adds <code>acl</code> to all rule sets available in ><code>/etc/aide.conf</code></div></td></tr><tr><td>Rationale</td><td><div class="rationale">ACLs can provide permissions beyond those permitted through the file mode and must be >verified by the file integrity tools.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package aide is installed</span> > <span class="label label-default">oval:ssg-test_package_aide_installed:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>aide</td><td>x86_64</td><td>(none)</td><td>14.el8</td><td>0.16</td><td>0:0.16-14.el8</td><td>199e2f91fd431d51</td><td>aide-0:0.16-14.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">acl is set in /etc/aide.conf</span> > <span class="label label-default">oval:ssg-test_aide_verify_acls:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/aide.conf</td><td>DIR = p+i+n+u+g+acl+selinux+xattrs</td></tr><tr><td>/etc/aide.conf</td><td>PERMS = p+u+g+acl+selinux+xattrs</td></tr><tr><td>/etc/aide.conf</td><td>EVERYTHING = R+ALLXTRAHASHES+xattrs+acl</td></tr><tr><td>/etc/aide.conf</td><td>NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512</td></tr><tr><td>/etc/aide.conf</td><td>LOG = p+u+g+n+S+acl+selinux+xattrs</td></tr><tr><td>/etc/aide.conf</td><td>CONTENT = sha512+ftype+xattrs+acl</td></tr><tr><td>/etc/aide.conf</td><td>CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs</td></tr><tr><td>/etc/aide.conf</td><td>DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_sudo_installed" id="rule-detail-idm45662296088240"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install sudo Packagexccdf_org.ssgproject.content_rule_package_sudo_installed mediumCCE-82214-8 </div><div class="panel-heading"><h3 class="panel-title">Install sudo Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_sudo_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_sudo_installed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82214-8">CCE-82214-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R19)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.3.1</a>, <a href="">1382</a>, <a href="">1384</a>, <a href="">1386</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>sudo</code> package can be installed with the following command: ><pre> >$ sudo yum install sudo</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><code>sudo</code> is a program designed to allow a system administrator to give >limited root privileges to users and log root activity. The basic philosophy >is to give as few privileges as possible but still allow system users to >get their work done.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package sudo is installed</span> > <span class="label label-default">oval:ssg-test_package_sudo_installed:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>sudo</td><td>x86_64</td><td>(none)</td><td>7.el8</td><td>1.8.29</td><td>0:1.8.29-7.el8</td><td>199e2f91fd431d51</td><td>sudo-0:1.8.29-7.el8.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot" id="rule-detail-idm45662296081536"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure sudo Ignores Commands In Current Dir - sudo ignore_dotxccdf_org.ssgproject.content_rule_sudo_add_ignore_dot mediumCCE-83810-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_add_ignore_dot:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83810-2">CCE-83810-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R58)</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>ignore_dot</code> tag, when specified, will ignore the current directory >in the PATH environment variable. >On Red Hat Enterprise Linux 8, <code>env_reset</code> is enabled by default >This should be enabled by making sure that the <code>ignore_dot</code> tag exists in ><code>/etc/sudoers</code> configuration file or any sudo configuration snippets >in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Ignoring the commands in the user's current directory prevents an attacker from executing commands >downloaded locally.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">ignore_dot exists in /etc/sudoers or /etc/sudoers.d/</span> > <span class="label label-default">oval:ssg-test_ignore_dot_sudoers:tst:1</span> > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_ignore_dot_sudoers:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/sudoers(|\.d/.*)$</td><td>^[\s]*Defaults.*\bignore_dot\b.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_add_noexec" id="rule-detail-idm45662296077568"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXECxccdf_org.ssgproject.content_rule_sudo_add_noexec highCCE-83747-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_add_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_add_noexec:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83747-6">CCE-83747-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R58)</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>NOEXEC</code> tag, when specified, prevents user executed >commands from executing other commands, like a shell for example. >This should be enabled by making sure that the <code>NOEXEC</code> tag exists in ><code>/etc/sudoers</code> configuration file or any sudo configuration snippets >in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Restricting the capability of sudo allowed commands to execute sub-commands >prevents users from running programs with privileges they wouldn't have otherwise.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec exists in /etc/sudoers or /etc/sudoers.d/</span> > <span class="label label-default">oval:ssg-test_noexec_sudoers:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>Defaults noexec</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_add_passwd_timeout" id="rule-detail-idm45662296073600"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure sudo passwd_timeout is appropriate - sudo passwd_timeoutxccdf_org.ssgproject.content_rule_sudo_add_passwd_timeout mediumCCE-83964-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_add_passwd_timeout</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_add_passwd_timeout:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83964-7">CCE-83964-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R58)</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>passwd_timeout</code> tag sets the amount of time sudo password prompt waits. >On Red Hat Enterprise Linux 8, the default <code>passwd_timeout</code> value is 5 minutes. > >The passwd_timeout should be configured by making sure that the ><code>passwd_timeout=sub_var_value("var_sudo_passwd_timeout")</code> tag exists in ><code>/etc/sudoers</code> configuration file or any sudo configuration snippets >in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Reducing the time <code>sudo</code> waits for a a password reduces the time the process is exposed.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">passwd_timeout exists in /etc/sudoers or /etc/sudoers.d/</span> > <span class="label label-default">oval:ssg-test_passwd_timeout_sudoers:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>Defaults passwd_timeout=1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudoers_no_command_negation" id="rule-detail-idm45662296066096"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Don't define allowed commands in sudoers by means of exclusionxccdf_org.ssgproject.content_rule_sudoers_no_command_negation mediumCCE-83518-1 </div><div class="panel-heading"><h3 class="panel-title">Don't define allowed commands in sudoers by means of exclusion</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudoers_no_command_negation</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudoers_no_command_negation:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83518-1">CCE-83518-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R61)</a></p></td></tr><tr><td>Description</td><td><div class="description">Policies applied by sudo through the sudoers file should not involve negation. > >Each user specification in the <code>sudoers</code> file contains a comma-delimited list of command specifications. >The definition can make use glob patterns, as well as of negations. >Indirect definition of those commands by means of exclusion of a set of commands is trivial to bypass, so it is not allowed to use such constructs.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Specifying access right using negation is inefficient and can be easily circumvented. >For example, it is expected that a specification like <pre> ># To avoid absolutely , this rule can be easily circumvented! >user ALL = ALL ,!/ bin/sh ></pre> prevents the execution of the shell >but thatâs not the case: just copy the binary <code>/bin/sh</code> to a different name to make it executable >again through the rule keyword <code>ALL</code>.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> > This rule doesn't come with a remediation, as negations indicate design issues with the sudoers user specifications design. Just removing negations doesn't increase the security - you typically have to rethink the definition of allowed commands to fix the issue.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Make sure that no command in user spec contains negation</span> > <span class="label label-default">oval:ssg-test_sudoers_no_command_negation:tst:1</span> > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sudoers_no_command_negation:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/sudoers(\.d/.*)?$</td><td>^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,!\n][^,\n]+,)*\s*(?:\([^\)]+\))?\s*(?!\s*\()(!\S+).*</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="rule-detail-idm45662296062096"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_ptyxccdf_org.ssgproject.content_rule_sudo_add_use_pty mediumCCE-83798-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_add_use_pty</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_add_use_pty:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83798-9">CCE-83798-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R58)</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo >commands from users logged in to a real tty. >This should be enabled by making sure that the <code>use_pty</code> tag exists in ><code>/etc/sudoers</code> configuration file or any sudo configuration snippets >in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining >access to the user's terminal after the main program has finished executing.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">use_pty exists in /etc/sudoers or /etc/sudoers.d/</span> > <span class="label label-default">oval:ssg-test_use_pty_sudoers:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>Defaults use_pty</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_add_requiretty" id="rule-detail-idm45662296055424"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requirettyxccdf_org.ssgproject.content_rule_sudo_add_requiretty mediumCCE-83790-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_add_requiretty</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_add_requiretty:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83790-6">CCE-83790-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R58)</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>requiretty</code> tag, when specified, will only execute sudo >commands from users logged in to a real tty. >This should be enabled by making sure that the <code>requiretty</code> tag exists in ><code>/etc/sudoers</code> configuration file or any sudo configuration snippets >in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Restricting the use cases in which a user is allowed to execute sudo commands >reduces the attack surface.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">requiretty exists in /etc/sudoers or /etc/sudoers.d/</span> > <span class="label label-default">oval:ssg-test_requiretty_sudoers:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>Defaults requiretty</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="rule-detail-idm45662296051456"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure sudo Runs In A Minimal Environment - sudo env_resetxccdf_org.ssgproject.content_rule_sudo_add_env_reset mediumCCE-83820-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure sudo Runs In A Minimal Environment - sudo env_reset</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_add_env_reset</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_add_env_reset:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83820-1">CCE-83820-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R58)</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment, >containing the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER and SUDO_* variables. >On Red Hat Enterprise Linux 8, <code>env_reset</code> is enabled by default >This should be enabled by making sure that the <code>env_reset</code> tag exists in ><code>/etc/sudoers</code> configuration file or any sudo configuration snippets >in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Forcing sudo to reset the environment ensures that environment variables are not passed on to the >command accidentaly, preventing leak of potentially sensitive information.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">env_reset exists in /etc/sudoers or /etc/sudoers.d/</span> > <span class="label label-default">oval:ssg-test_env_reset_sudoers:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td> >Defaults env_reset</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_add_umask" id="rule-detail-idm45662296047488"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure sudo umask is appropriate - sudo umaskxccdf_org.ssgproject.content_rule_sudo_add_umask mediumCCE-83860-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure sudo umask is appropriate - sudo umask</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_add_umask</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_add_umask:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83860-7">CCE-83860-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R58)</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>umask</code> tag, when specified, will be added the to the user's umask in the >command environment. >On Red Hat Enterprise Linux 8, the default <code>umask</code> value is 0022. > >The umask should be configured by making sure that the <code>umask=sub_var_value("var_sudo_umask")</code> tag exists in ><code>/etc/sudoers</code> configuration file or any sudo configuration snippets >in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The umask value influences the permissions assigned to files when they are created. >A misconfigured umask value could result in files with excessive permissions that can be read or >written to by unauthorized users.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">umask exists in /etc/sudoers or /etc/sudoers.d/</span> > <span class="label label-default">oval:ssg-test_umask_sudoers:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>Defaults umask=0027</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sudoers_explicit_command_args" id="rule-detail-idm45662296040000"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Explicit arguments in sudo specificationsxccdf_org.ssgproject.content_rule_sudoers_explicit_command_args mediumCCE-83632-0 </div><div class="panel-heading"><h3 class="panel-title">Explicit arguments in sudo specifications</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudoers_explicit_command_args</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudoers_explicit_command_args:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83632-0">CCE-83632-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R63)</a></p></td></tr><tr><td>Description</td><td><div class="description">All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user. >If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Any argument can modify quite significantly the behavior of a program, whether regarding the >realized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To >avoid any possibility of misuse of a command by a user, the ambiguities must be removed at the >level of its specification. > >For example, on some systems, the kernel messages are only accessible by root. >If a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted >in order to prevent the user from flushing the buffer through the -c option: ><pre> >user ALL = dmesg "" ></pre></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> > This rule doesn't come with a remediation, as absence of arguments in the user spec doesn't mean that the command is intended to be executed with no arguments.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> > The rule can produce false findings when an argument contains a comma - sudoers syntax allows comma escaping using backslash, but the check doesn't support that. For example, <code>root ALL=(ALL) echo 1\,2</code> allows root to execute <code>echo 1,2</code>, but the check would interpret it as two commands <code>echo 1\</code> and <code>2</code>.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Make sure that no command in user spec is without any argument</span> > <span class="label label-default">oval:ssg-test_sudoers_explicit_command_args:tst:1</span> > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td> >Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_dedicated_group" id="rule-detail-idm45662296036000"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure a dedicated group owns sudoxccdf_org.ssgproject.content_rule_sudo_dedicated_group mediumCCE-83982-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure a dedicated group owns sudo</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_dedicated_group</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_dedicated_group:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83982-9">CCE-83982-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R57)</a></p></td></tr><tr><td>Description</td><td><div class="description">Restrict the execution of privilege escalated commands to a dedicated group of users. >Ensure the group owner of /usr/bin/sudo is <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_sudo_dedicated_group">sudogrp</abbr>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Restricting the set of users able to execute commands as privileged user reduces the attack surface.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> > Changing group owner of <code>/usr/bin/sudo</code> to a group with no member users will prevent >any and all escalatation of privileges. >Additionally, the system may become unmanageable if root logins are not allowed.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> > This rule doesn't come with a remediation, before remediating the sysadmin needs to add users to the dedicated sudo group.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check if dedicated group is listed in /etc/group</span> > <span class="label label-default">oval:ssg-test_dedicated_group_exists:tst:1</span> > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Grab GID of group set in var_sudo_dedicated_group">oval:ssg-sudo_dedicated_group_gid:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>sudogrp</td></tr><tr><td>^sudogrp:x:(\d+):.*$</td></tr></table></td><td>/etc/group</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check /usr/bin/sudo is owned by group defined in var_sudo_dedicated_group </span> > <span class="label label-default">oval:ssg-test_sudo_owned_by_dedicated_group:tst:1</span> > <span class="label label-danger">error</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/usr/bin/sudo</td><td>regular</td><td>0</td><td>0</td><td>165640</td><td><code>--s--x--x </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="rule-detail-idm45662296031200"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticatexccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate mediumCCE-82202-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_remove_no_authenticate:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82202-3">CCE-82202-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R59)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002038</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00156</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00157</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00158</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010381</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230272r627750_rule</a>, <a href="">SRG-OS-000373-VMM-001470</a>, <a href="">SRG-OS-000373-VMM-001480</a>, <a href="">SRG-OS-000373-VMM-001490</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using >sudo without having to authenticate. This should be disabled by making sure that the ><code>!authenticate</code> option does not exist in <code>/etc/sudoers</code> configuration file or >any sudo configuration snippets in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Without re-authentication, users may access resources or perform tasks for which they >do not have authorization. ><br><br> >When operating systems provide the capability to escalate a functional capability, it >is critical that the user re-authenticate.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">!authenticate does not exist in /etc/sudoers</span> > <span class="label label-default">oval:ssg-test_no_authenticate_etc_sudoers:tst:1</span> > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_no_authenticate_etc_sudoers:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>^(?!#).*[\s]+\!authenticate.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">!authenticate does not exist in /etc/sudoers.d</span> > <span class="label label-default">oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1</span> > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers.d</td><td>^.*$</td><td>^(?!#).*[\s]+\!authenticate.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sudoers_no_root_target" id="rule-detail-idm45662296027200"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Don't target root user in the sudoers filexccdf_org.ssgproject.content_rule_sudoers_no_root_target mediumCCE-83598-3 </div><div class="panel-heading"><h3 class="panel-title">Don't target root user in the sudoers file</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudoers_no_root_target</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudoers_no_root_target:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:25+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83598-3">CCE-83598-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R60)</a></p></td></tr><tr><td>Description</td><td><div class="description">The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root). > >User specifications have to explicitly list the runas spec (i.e. the list of target users that can be impersonated), and <code>ALL</code> or <code>root</code> should not be used.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">It is common that the command to be executed does not require superuser rights (editing a file >whose the owner is not root, sending a signal to an unprivileged process,etc.). In order to limit >any attempt of privilege escalation through a command, it is better to apply normal user rights.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> > This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Make sure that no user spec in sudoers has a runas spec that includes root or ALL</span> > <span class="label label-default">oval:ssg-test_no_root_or_ALL_in_runas_spec:tst:1</span> > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-root_or_ALL_in_runas_spec:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/sudoers(\.d/.*)?$</td><td>^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*\([\w\s]*\b(root|ALL)\b[\w\s]*\)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">make sure that all user specs in sudoers feature a runas spec</span> > <span class="label label-default">oval:ssg-test_no_user_spec_rules:tst:1</span> > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>Defaults env_keep = "</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" id="rule-detail-idm45662296023216"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDxccdf_org.ssgproject.content_rule_sudo_remove_nopasswd mediumCCE-82197-5 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_remove_nopasswd:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:25+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82197-5">CCE-82197-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R59)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002038</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00156</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00157</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00158</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010380</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230271r627750_rule</a>, <a href="">SRG-OS-000373-VMM-001470</a>, <a href="">SRG-OS-000373-VMM-001480</a>, <a href="">SRG-OS-000373-VMM-001490</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>NOPASSWD</code> tag, when specified, allows a user to execute >commands using sudo without having to authenticate. This should be disabled >by making sure that the <code>NOPASSWD</code> tag does not exist in ><code>/etc/sudoers</code> configuration file or any sudo configuration snippets >in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Without re-authentication, users may access resources or perform tasks for which they >do not have authorization. ><br><br> >When operating systems provide the capability to escalate a functional capability, it >is critical that the user re-authenticate.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">NOPASSWD does not exist /etc/sudoers</span> > <span class="label label-default">oval:ssg-test_nopasswd_etc_sudoers:tst:1</span> > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_nopasswd_etc_sudoers:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>^(?!#).*[\s]+NOPASSWD[\s]*\:.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">NOPASSWD does not exist in /etc/sudoers.d</span> > <span class="label label-default">oval:ssg-test_nopasswd_etc_sudoers_d:tst:1</span> > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_nopasswd_etc_sudoers_d:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers.d</td><td>^.*$</td><td>^(?!#).*[\s]+NOPASSWD[\s]*\:.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" id="rule-detail-idm45662295864656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /var/log/audit Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log_audit lowCCE-80854-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure /var/log/audit Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_var_log_audit</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_var_log_audit:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:25+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80854-3">CCE-80854-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.12</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001849</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000341-GPOS-00132</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010542</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230294r627750_rule</a>, <a href="">SRG-OS-000341-VMM-001220</a></p></td></tr><tr><td>Description</td><td><div class="description">Audit logs are stored in the <code>/var/log/audit</code> directory. Ensure that it >has its own partition or logical volume at installation time, or migrate it >later using LVM. Make absolutely certain that it is large enough to store all >audit logs that will be created by the auditing daemon.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Placing <code>/var/log/audit</code> in its own partition >enables better separation between audit files >and other files, and helps ensure that >auditing cannot be halted due to the partition running out >of space.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/var/log/audit on own partition</span> > <span class="label label-default">oval:ssg-testvar_log_audit_partition:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/log/audit</td><td>/dev/mapper/rhel-var_log_audit</td><td>c283ed62-570e-470f-9887-a451fb69ee7d</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">129704</td><td role="num">7555</td><td role="num">122149</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_boot" id="rule-detail-idm45662295860656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /boot Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_boot mediumCCE-83336-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure /boot Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_boot</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_boot:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:25+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83336-8">CCE-83336-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">It is recommended that the <code>/boot</code> directory resides on a separate >partition. This makes it easier to apply restrictions e.g. through the ><code>noexec</code> mount option. Eventually, the <code>/boot</code> partition can >be configured not to be mounted automatically with the <code>noauto</code> mount >option.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/boot</code> partition contains the kernel and bootloader files. >Access to this partition should be restricted.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/boot on own partition</span> > <span class="label label-default">oval:ssg-testboot_partition:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/boot</td><td>/dev/vda1</td><td>9bdb2e77-09b5-4440-bb45-2979a88c80fd</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">129704</td><td role="num">59981</td><td role="num">69723</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_opt" id="rule-detail-idm45662295856688"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /opt Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_opt mediumCCE-83340-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure /opt Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_opt</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_opt:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:26+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83340-0">CCE-83340-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">It is recommended that the <code>/opt</code> directory resides on a separate >partition.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/opt</code> partition contains additional software, usually installed >outside the packaging system. Putting this directory on a separate partition >makes it easier to apply restrictions e.g. through the <code>nosuid</code> mount >option.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/opt on own partition</span> > <span class="label label-default">oval:ssg-testopt_partition:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/opt</td><td>/dev/mapper/rhel-opt</td><td>77ae06e9-6dd5-4e0a-b037-f3613a9d7b52</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10073</td><td role="num">249511</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_tmp" id="rule-detail-idm45662295850032"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_tmp lowCCE-80851-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure /tmp Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_tmp</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_tmp:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:26+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80851-9">CCE-80851-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.2</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010543</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230295r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>/tmp</code> directory is a world-writable directory used >for temporary file storage. Ensure it has its own partition or >logical volume at installation time, or migrate it using LVM.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/tmp</code> partition is used as temporary storage by many programs. >Placing <code>/tmp</code> in its own partition enables the setting of more >restrictive mount options, which can help protect programs which use it.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/tmp on own partition</span> > <span class="label label-default">oval:ssg-testtmp_partition:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/tmp</td><td>/dev/mapper/rhel-tmp</td><td>7046abce-80d6-421c-bff3-99e32bc334a2</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10119</td><td role="num">249465</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_srv" id="rule-detail-idm45662295846064"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /srv Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_srv unknownCCE-83387-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure /srv Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_srv</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_srv:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:26+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83387-1">CCE-83387-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">If a file server (FTP, TFTP...) is hosted locally, create a separate partition >for <code>/srv</code> at installation time (or migrate it later using LVM). If ><code>/srv</code> will be mounted from another system such as an NFS server, then >creating a separate partition is not necessary at installation time, and the >mountpoint can instead be configured later.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Srv deserves files for local network file server such as FTP. Ensuring >that <code>/srv</code> is mounted on its own partition enables the setting of >more restrictive mount options, and also helps ensure that >users cannot trivially fill partitions used for log or audit data storage.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/srv on own partition</span> > <span class="label label-default">oval:ssg-testsrv_partition:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/srv</td><td>/dev/mapper/rhel-srv</td><td>77751d51-5128-44d4-b904-41179eafa70e</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10073</td><td role="num">249511</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_usr" id="rule-detail-idm45662295842096"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /usr Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_usr mediumCCE-83343-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure /usr Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_usr</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_usr:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:26+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83343-4">CCE-83343-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">It is recommended that the <code>/usr</code> directory resides on a separate >partition.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/usr</code> partition contains system software, utilities and files. >Putting it on a separate partition allows limiting its size and applying >restrictions through mount options.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/usr on own partition</span> > <span class="label label-default">oval:ssg-testusr_partition:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/usr</td><td>/dev/mapper/rhel-usr</td><td>e1e98a2c-ead1-477e-bdd7-d69f4a5b6e84</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">1277440</td><td role="num">1139330</td><td role="num">138110</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_var" id="rule-detail-idm45662295838128"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /var Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var lowCCE-80852-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure /var Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_var</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_var:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:27+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80852-7">CCE-80852-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.6</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010540</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230292r627750_rule</a>, <a href="">SRG-OS-000341-VMM-001220</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>/var</code> directory is used by daemons and other system >services to store frequently-changing data. Ensure that <code>/var</code> has its own partition >or logical volume at installation time, or migrate it using LVM.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Ensuring that <code>/var</code> is mounted on its own partition enables the >setting of more restrictive mount options. This helps protect >system services such as daemons or other programs which use it. >It is not uncommon for the <code>/var</code> directory to contain >world-writable directories installed by other software packages.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/var on own partition</span> > <span class="label label-default">oval:ssg-testvar_partition:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var</td><td>/dev/mapper/rhel-var</td><td>3b9bf26c-12ea-4f64-abc1-3fac0b5d2263</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">783872</td><td role="num">64669</td><td role="num">719203</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_var_tmp" id="rule-detail-idm45662295834160"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /var/tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_tmp lowCCE-82730-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure /var/tmp Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_var_tmp</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_var_tmp:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:27+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82730-3">CCE-82730-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>/var/tmp</code> directory is a world-writable directory used >for temporary file storage. Ensure it has its own partition or >logical volume at installation time, or migrate it using LVM.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/var/tmp</code> partition is used as temporary storage by many programs. >Placing <code>/var/tmp</code> in its own partition enables the setting of more >restrictive mount options, which can help protect programs which use it.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/var/tmp on own partition</span> > <span class="label label-default">oval:ssg-testvar_tmp_partition:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/tmp</td><td>/dev/mapper/rhel-var_tmp</td><td>5cdb94cd-dc68-4f07-aca4-c8f069f590f1</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10098</td><td role="num">249486</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_var_log" id="rule-detail-idm45662295830192"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /var/log Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log mediumCCE-80853-5 </div><div class="panel-heading"><h3 class="panel-title">Ensure /var/log Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_var_log</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_var_log:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:27+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80853-5">CCE-80853-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R47)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.11</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010541</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230293r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">System logs are stored in the <code>/var/log</code> directory. >Ensure that it has its own partition or logical >volume at installation time, or migrate it using LVM.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Placing <code>/var/log</code> in its own partition >enables better separation between log files >and other files in <code>/var/</code>.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/var/log on own partition</span> > <span class="label label-default">oval:ssg-testvar_log_partition:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/log</td><td>/dev/mapper/rhel-var_log</td><td>54ebd97a-fc48-4ff8-9e66-637df9cbc902</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">12683</td><td role="num">246901</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_home" id="rule-detail-idm45662295826224"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /home Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_home lowCCE-81044-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure /home Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_home</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_home:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81044-0">CCE-81044-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.13</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001208</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010800</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230328r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">If user home directories will be stored locally, create a separate partition >for <code>/home</code> at installation time (or migrate it later using LVM). If ><code>/home</code> will be mounted from another system such as an NFS server, then >creating a separate partition is not necessary at installation time, and the >mountpoint can instead be configured later.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Ensuring that <code>/home</code> is mounted on its own partition enables the >setting of more restrictive mount options, and also helps ensure that >users cannot trivially fill partitions used for log or audit data storage.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/home on own partition</span> > <span class="label label-default">oval:ssg-testhome_partition:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/home</td><td>/dev/mapper/rhel-home</td><td>249c85b7-b274-4df5-8ef4-8790ff211f6a</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">13526</td><td role="num">246058</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed" id="rule-detail-idm45662295822256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install dnf-automatic Packagexccdf_org.ssgproject.content_rule_package_dnf-automatic_installed mediumCCE-82985-3 </div><div class="panel-heading"><h3 class="panel-title">Install dnf-automatic Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_dnf-automatic_installed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82985-3">CCE-82985-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R8)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>dnf-automatic</code> package can be installed with the following command: ><pre> >$ sudo yum install dnf-automatic</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><code>dnf-automatic</code> is an alternative command line interface (CLI) >to <code>dnf upgrade</code> suitable for automatic, regular execution.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package dnf-automatic is installed</span> > <span class="label label-default">oval:ssg-test_package_dnf-automatic_installed:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>dnf-automatic</td><td>noarch</td><td>(none)</td><td>11.el8</td><td>4.4.2</td><td>0:4.4.2-11.el8</td><td>199e2f91fd431d51</td><td>dnf-automatic-0:4.4.2-11.el8.noarch</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" id="rule-detail-idm45662295818256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Red Hat GPG Key Installedxccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed highCCE-80795-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure Red Hat GPG Key Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_redhat_gpgkey_installed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80795-8">CCE-80795-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R15)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.2.3</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-6.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a></p></td></tr><tr><td>Description</td><td><div class="description">To ensure the system can cryptographically verify base software packages >come from Red Hat (and to connect to the Red Hat Network to receive them), >the Red Hat GPG key must properly be installed. To install the Red Hat GPG >key, run: ><pre>$ sudo subscription-manager register</pre> > >If the system is not connected to the Internet or an RHN Satellite, then >install the Red Hat GPG key from trusted media such as the Red Hat >installation CD-ROM or DVD. Assuming the disc is mounted in ><code>/media/cdrom</code>, use the following command as the root user to import >it into the keyring: ><pre>$ sudo rpm --import /media/cdrom/RPM-GPG-KEY</pre> > >Alternatively, the key may be pre-loaded during the RHEL installation. In >such cases, the key can be installed by running the following command: ><pre>sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Changes to software components can have significant effects on the overall >security of the operating system. This requirement ensures the software has >not been tampered with and that it has been provided by a trusted vendor. >The Red Hat GPG key is necessary to cryptographically verify packages are >from Red Hat.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">installed OS part of unix family</span> > <span class="label label-default">oval:ssg-test_rhel8_unix_family:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span> > <span class="label label-default">oval:ssg-test_rhel8_unix_family:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 8</span> > <span class="label label-default">oval:ssg-test_rhel8:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>0.6.el8</td><td>8.5</td><td>0:8.5-0.6.el8</td><td>199e2f91fd431d51</td><td>redhat-release-0:8.5-0.6.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 8</span> > <span class="label label-default">oval:ssg-test_rhel8:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>0.6.el8</td><td>8.5</td><td>0:8.5-0.6.el8</td><td>199e2f91fd431d51</td><td>redhat-release-0:8.5-0.6.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> > <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> > <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 8</span> > <span class="label label-default">oval:ssg-test_rhevh_rhel8_version:tst:1</span> > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel8_version:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 8</span> > <span class="label label-default">oval:ssg-test_rhevh_rhel8_version:tst:1</span> > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel8_version:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span> > <span class="label label-default">oval:ssg-test_rhel8_unix_family:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span> > <span class="label label-default">oval:ssg-test_rhel8_unix_family:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 8</span> > <span class="label label-default">oval:ssg-test_rhel8:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>0.6.el8</td><td>8.5</td><td>0:8.5-0.6.el8</td><td>199e2f91fd431d51</td><td>redhat-release-0:8.5-0.6.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 8</span> > <span class="label label-default">oval:ssg-test_rhel8:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>0.6.el8</td><td>8.5</td><td>0:8.5-0.6.el8</td><td>199e2f91fd431d51</td><td>redhat-release-0:8.5-0.6.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> > <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> > <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 8</span> > <span class="label label-default">oval:ssg-test_rhevh_rhel8_version:tst:1</span> > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel8_version:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 8</span> > <span class="label label-default">oval:ssg-test_rhevh_rhel8_version:tst:1</span> > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel8_version:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Red Hat release key package is installed</span> > <span class="label label-default">oval:ssg-test_package_gpgkey-fd431d51-4ae0493b_installed:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>5b32db75</td><td>d4082792</td><td>0:d4082792-5b32db75</td><td>0</td><td>gpg-pubkey-0:d4082792-5b32db75.(none)</td></tr><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>4ae0493b</td><td>fd431d51</td><td>0:fd431d51-4ae0493b</td><td>0</td><td>gpg-pubkey-0:fd431d51-4ae0493b.(none)</td></tr></tbody></table><h4><span class="label label-primary">Red Hat auxiliary key package is installed</span> > <span class="label label-default">oval:ssg-test_package_gpgkey-d4082792-5b32db75_installed:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>5b32db75</td><td>d4082792</td><td>0:d4082792-5b32db75</td><td>0</td><td>gpg-pubkey-0:d4082792-5b32db75.(none)</td></tr><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>4ae0493b</td><td>fd431d51</td><td>0:fd431d51-4ae0493b</td><td>0</td><td>gpg-pubkey-0:fd431d51-4ae0493b.(none)</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> > <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> > <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type > <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> > <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> > <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> > <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type > <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> > <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Check os-release ID</span> > <span class="label label-default">oval:ssg-test_centos8_name:tst:1</span> > <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release ID">oval:ssg-obj_name_centos8:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^ID="(\w+)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check os-release ID</span> > <span class="label label-default">oval:ssg-test_centos8_name:tst:1</span> > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>ID="rhel"</td></tr></tbody></table><h4><span class="label label-primary">Check os-release VERSION_ID</span> > <span class="label label-default">oval:ssg-test_centos8_version:tst:1</span> > <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release VERSION_ID">oval:ssg-obj_version_centos8:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^VERSION_ID="(\d)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check os-release VERSION_ID</span> > <span class="label label-default">oval:ssg-test_centos8_version:tst:1</span> > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release VERSION_ID">oval:ssg-obj_version_centos8:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^VERSION_ID="(\d)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> > <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> > <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type > <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> > <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> > <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> > <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type > <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> > <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Check os-release ID</span> > <span class="label label-default">oval:ssg-test_centos8_name:tst:1</span> > <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release ID">oval:ssg-obj_name_centos8:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^ID="(\w+)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check os-release ID</span> > <span class="label label-default">oval:ssg-test_centos8_name:tst:1</span> > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>ID="rhel"</td></tr></tbody></table><h4><span class="label label-primary">Check os-release VERSION_ID</span> > <span class="label label-default">oval:ssg-test_centos8_version:tst:1</span> > <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release VERSION_ID">oval:ssg-obj_version_centos8:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^VERSION_ID="(\d)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check os-release VERSION_ID</span> > <span class="label label-default">oval:ssg-test_centos8_version:tst:1</span> > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release VERSION_ID">oval:ssg-obj_version_centos8:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^VERSION_ID="(\d)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">CentOS8 key package is installed</span> > <span class="label label-default">oval:ssg-test_package_gpgkey-8483c65d-5ccc5b19_installed:tst:1</span> > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>5b32db75</td><td>d4082792</td><td>0:d4082792-5b32db75</td><td>0</td><td>gpg-pubkey-0:d4082792-5b32db75.(none)</td></tr><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>4ae0493b</td><td>fd431d51</td><td>0:fd431d51-4ae0493b</td><td>0</td><td>gpg-pubkey-0:fd431d51-4ae0493b.(none)</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled" id="rule-detail-idm45662295814256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable dnf-automatic Timerxccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled mediumCCE-82360-9 </div><div class="panel-heading"><h3 class="panel-title">Enable dnf-automatic Timer</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-timer_dnf-automatic_enabled:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82360-9">CCE-82360-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(c)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td>Description</td><td><div class="description"> >The <code>dnf-automatic</code> timer can be enabled with the following command: ><pre>$ sudo systemctl enable dnf-automatic.timer</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>dnf-automatic</code> is an alternative command line interface (CLI) to <code>dnf upgrade</code> with specific facilities to make it suitable to be executed automatically and regularly from systemd timers, cron jobs and similar. >The tool is controlled by <code>dnf-automatic.timer</code> SystemD timer.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package dnf-automatic is installed</span> > <span class="label label-default">oval:ssg-test_package_dnf-automatic_installed:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>dnf-automatic</td><td>noarch</td><td>(none)</td><td>11.el8</td><td>4.4.2</td><td>0:4.4.2-11.el8</td><td>199e2f91fd431d51</td><td>dnf-automatic-0:4.4.2-11.el8.noarch</td></tr></tbody></table><h4><span class="label label-primary">Test that the dnf-automatic timer is running</span> > <span class="label label-default">oval:ssg-test_timer_running_dnf-automatic:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>dnf-automatic.timer</td><td>ActiveState</td><td>active</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span> > <span class="label label-default">oval:ssg-test_multi_user_wants_dnf-automatic:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var-tmp.mount</td><td>var.mount</td><td>sysinit.target</td><td>plymouth-read-write.service</td><td>lvm2-monitor.service</td><td>cryptsetup.target</td><td>systemd-hwdb-update.service</td><td>sys-kernel-debug.mount</td><td>local-fs.target</td><td>-.mount</td><td>srv.mount</td><td>opt.mount</td><td>home.mount</td><td>var-log.mount</td><td>tmp.mount</td><td>var-log-audit.mount</td><td>usr.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>ostree-remount.service</td><td>lvm2-lvmpolld.socket</td><td>systemd-journal-flush.service</td><td>nis-domainname.service</td><td>iscsi-onboot.service</td><td>ldconfig.service</td><td>systemd-udevd.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-utmp.service</td><td>systemd-random-seed.service</td><td>plymouth-start.service</td><td>dev-mqueue.mount</td><td>systemd-tmpfiles-setup.service</td><td>systemd-update-done.service</td><td>systemd-sysctl.service</td><td>systemd-modules-load.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-binfmt.service</td><td>selinux-autorelabel-mark.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>dev-hugepages.mount</td><td>systemd-udev-trigger.service</td><td>systemd-machine-id-commit.service</td><td>systemd-sysusers.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>sys-kernel-config.mount</td><td>loadmodules.service</td><td>swap.target</td><td>dev-mapper-rhel\x2dswap.swap</td><td>kmod-static-nodes.service</td><td>multipathd.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-journald.service</td><td>dracut-shutdown.service</td><td>paths.target</td><td>timers.target</td><td>dnf-makecache.timer</td><td>dnf-automatic.timer</td><td>mlocate-updatedb.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-journald.socket</td><td>avahi-daemon.socket</td><td>systemd-journald-dev-log.socket</td><td>dm-event.socket</td><td>libvirtd-ro.socket</td><td>dbus.socket</td><td>libvirtd.socket</td><td>virtlogd.socket</td><td>virtlockd.socket</td><td>systemd-coredump.socket</td><td>iscsiuio.socket</td><td>systemd-udevd-kernel.socket</td><td>multipathd.socket</td><td>systemd-initctl.socket</td><td>iscsid.socket</td><td>cups.socket</td><td>systemd-udevd-control.socket</td><td>rpcbind.socket</td><td>sssd-kcm.socket</td><td>microcode.service</td><td>mdmonitor.service</td><td>smartd.service</td><td>sssd.service</td><td>plymouth-quit-wait.service</td><td>auditd.service</td><td>nfs-client.target</td><td>auth-rpcgss-module.service</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>getty@tty1.service</td><td>vdo.service</td><td>plymouth-quit.service</td><td>mcelog.service</td><td>systemd-ask-password-wall.path</td><td>ksm.service</td><td>tuned.service</td><td>rpcbind.service</td><td>rsyslog.service</td><td>ModemManager.service</td><td>chronyd.service</td><td>systemd-logind.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>NetworkManager.service</td><td>libstoragemgmt.service</td><td>vmtoolsd.service</td><td>sshd.service</td><td>ksmtuned.service</td><td>firewalld.service</td><td>irqbalance.service</td><td>cups.service</td><td>systemd-user-sessions.service</td><td>rhsmcertd.service</td><td>avahi-daemon.service</td><td>dbus.service</td><td>kdump.service</td><td>libvirtd.service</td><td>cups.path</td><td>remote-fs.target</td><td>iscsi.service</td><td>var-lib-machines.mount</td><td>atd.service</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_security_patches_up_to_date" id="rule-detail-idm45662295810256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Software Patches Installedxccdf_org.ssgproject.content_rule_security_patches_up_to_date highCCE-80865-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure Software Patches Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_security_patches_up_to_date</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Multi-check rule</td><td>yes</td></tr><tr><td>OVAL Definition ID</td><td></td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80865-9">CCE-80865-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R08)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.9</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">20</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO12.01</a>, <a href="https://www.isaca.org/resources/cobit">APO12.02</a>, <a href="https://www.isaca.org/resources/cobit">APO12.03</a>, <a href="https://www.isaca.org/resources/cobit">APO12.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001227</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.18.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.RA-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-12</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-6.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010010</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230222r627750_rule</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description"> >If the system is joined to the Red Hat Network, a Red Hat Satellite Server, >or a yum server, run the following command to install updates: ><pre>$ sudo yum update</pre> >If the system is not configured to use one of these sources, updates (in the form of RPM packages) >can be manually downloaded from the Red Hat Network and installed using <code>rpm</code>. > ><br><br> >NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy >dictates.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Installing software updates is a fundamental mitigation against >the exploitation of publicly-known vulnerabilities. If the most >recent security patches and updates are not installed, unauthorized >users may take advantage of weaknesses in the unpatched software. The >lack of prompt attention to patching could result in a system compromise.</div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">None of the check-content-ref elements was resolvable.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only" id="rule-detail-idm45662295805600"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure dnf-automatic to Install Only Security Updatesxccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only lowCCE-82267-6 </div><div class="panel-heading"><h3 class="panel-title">Configure dnf-automatic to Install Only Security Updates</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-dnf-automatic_security_updates_only:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82267-6">CCE-82267-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(c)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure <code>dnf-automatic</code> to install only security updates >automatically, set <code>upgrade_type</code> to <code>security</code> under ><code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">By default, <code>dnf-automatic</code> installs all available updates. >Reducing the amount of updated packages only to updates that were >issued as a part of a security advisory increases the system stability.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of upgrade_type setting in the /etc/dnf/automatic.conf file</span> > <span class="label label-default">oval:ssg-test_dnf-automatic_security_updates_only:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/dnf/automatic.conf</td><td>[commands] ># What kind of upgrade to perform: ># default = all available upgrades ># security = only the security upgrades >upgrade_type = security</td></tr></tbody></table><h4><span class="label label-primary">The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_security_updates_only</span> > <span class="label label-default">oval:ssg-test_dnf-automatic_security_updates_only_config_file_exists:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/etc/dnf/automatic.conf</td><td>regular</td><td>0</td><td>0</td><td>2719</td><td><code>rw-r--r-- </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" id="rule-detail-idm45662295801600"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure gpgcheck Enabled for Local Packagesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages highCCE-80791-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled for Local Packages</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_gpgcheck_local_packages:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80791-7">CCE-80791-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R15)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12(10)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010371</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230265r627750_rule</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a></p></td></tr><tr><td>Description</td><td><div class="description"><code>yum</code> should be configured to verify the signature(s) of local packages >prior to installation. To configure <code>yum</code> to verify signatures of local >packages, set the <code>localpkg_gpgcheck</code> to <code>1</code> in <code>/etc/yum.conf</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Changes to any software components can have significant effects to the overall security >of the operating system. This requirement ensures the software has not been tampered and >has been provided by a trusted vendor. ><br><br> >Accordingly, patches, service packs, device drivers, or operating system components must >be signed with a certificate recognized and approved by the organization.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check value of localpkg_gpgcheck in /etc/yum.conf</span> > <span class="label label-default">oval:ssg-test_yum_ensure_gpgcheck_local_packages:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/yum.conf</td><td>localpkg_gpgcheck = 1 ></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="rule-detail-idm45662295794896"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure dnf-automatic to Install Available Updates Automaticallyxccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates mediumCCE-82494-6 </div><div class="panel-heading"><h3 class="panel-title">Configure dnf-automatic to Install Available Updates Automatically</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-dnf-automatic_apply_updates:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82494-6">CCE-82494-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R8)</a>, <a href="">0940</a>, <a href="">1144</a>, <a href="">1467</a>, <a href="">1472</a>, <a href="">1483</a>, <a href="">1493</a>, <a href="">1494</a>, <a href="">1495</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(c)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td>Description</td><td><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Installing software updates is a fundamental mitigation against >the exploitation of publicly-known vulnerabilities. If the most >recent security patches and updates are not installed, unauthorized >users may take advantage of weaknesses in the unpatched software. The >lack of prompt attention to patching could result in a system compromise. >The automated installation of updates ensures that recent security patches >are applied in a timely manner.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of apply_updates setting in the /etc/dnf/automatic.conf file</span> > <span class="label label-default">oval:ssg-test_dnf-automatic_apply_updates:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/dnf/automatic.conf</td><td>[commands] ># What kind of upgrade to perform: ># default = all available upgrades ># security = only the security upgrades >upgrade_type = security >random_sleep = 0 > ># Maximum time in seconds to wait until the system is on-line and able to ># connect to remote repositories. >network_online_timeout = 60 > ># To just receive updates use dnf-automatic-notifyonly.timer > ># Whether updates should be downloaded when they are available, by ># dnf-automatic.timer. notifyonly.timer, download.timer and ># install.timer override this setting. >download_updates = yes > ># Whether updates should be applied when they are available, by ># dnf-automatic.timer. notifyonly.timer, download.timer and ># install.timer override this setting. >apply_updates = yes</td></tr></tbody></table><h4><span class="label label-primary">The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_apply_updates</span> > <span class="label label-default">oval:ssg-test_dnf-automatic_apply_updates_config_file_exists:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/etc/dnf/automatic.conf</td><td>regular</td><td>0</td><td>0</td><td>2719</td><td><code>rw-r--r-- </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" id="rule-detail-idm45662295788192"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure gpgcheck Enabled for All yum Package Repositoriesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled highCCE-80792-5 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled for All yum Package Repositories</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_gpgcheck_never_disabled:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80792-5">CCE-80792-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R15)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12(10)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(b)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-6.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a></p></td></tr><tr><td>Description</td><td><div class="description">To ensure signature checking is not disabled for >any repos, remove any lines from files in <code>/etc/yum.repos.d</code> of the form: ><pre>gpgcheck=0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Verifying the authenticity of the software prior to installation validates >the integrity of the patch or upgrade received from a vendor. This ensures >the software has not been tampered with and that it has been provided by a >trusted vendor. Self-signed certificates are disallowed by this >requirement. Certificates used to verify the software must be from an >approved Certificate Authority (CA)."</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check for existence of gpgcheck=0 in /etc/yum.repos.d/ files</span> > <span class="label label-default">oval:ssg-test_ensure_gpgcheck_never_disabled:tst:1</span> > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_ensure_gpgcheck_never_disabled:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/yum.repos.d</td><td>.*</td><td>^\s*gpgcheck\s*=\s*0\s*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" id="rule-detail-idm45662295784192"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure gpgcheck Enabled In Main yum Configurationxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated highCCE-80790-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled In Main yum Configuration</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_gpgcheck_globally_activated:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80790-9">CCE-80790-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R15)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.2.4</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12(10)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(b)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-6.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010370</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230264r627750_rule</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>gpgcheck</code> option controls whether >RPM packages' signatures are always checked prior to installation. >To configure yum to check package signatures before installing >them, ensure the following line appears in <code>/etc/yum.conf</code> in >the <code>[main]</code> section: ><pre>gpgcheck=1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Changes to any software components can have significant effects on the >overall security of the operating system. This requirement ensures the >software has not been tampered with and that it has been provided by a >trusted vendor. ><br> >Accordingly, patches, service packs, device drivers, or operating system >components must be signed with a certificate recognized and approved by the >organization. ><br>Verifying the authenticity of the software prior to installation >validates the integrity of the patch or upgrade received from a vendor. >This ensures the software has not been tampered with and that it has been >provided by a trusted vendor. Self-signed certificates are disallowed by >this requirement. Certificates used to verify the software must be from an >approved Certificate Authority (CA).</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check value of gpgcheck in /etc/yum.conf</span> > <span class="label label-default">oval:ssg-test_ensure_gpgcheck_globally_activated:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/yum.conf</td><td>gpgcheck=1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_prefer_64bit_os" id="rule-detail-idm45662296196112"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Prefer to use a 64-bit Operating System when supportedxccdf_org.ssgproject.content_rule_prefer_64bit_os mediumCCE-83694-0 </div><div class="panel-heading"><h3 class="panel-title">Prefer to use a 64-bit Operating System when supported</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_prefer_64bit_os</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-prefer_64bit_os:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83694-0">CCE-83694-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R10)</a></p></td></tr><tr><td>Description</td><td><div class="description">Prefer installation of 64-bit operating systems when the CPU supports it.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Use of a 64-bit operating system offers a few advantages, like a larger address space range for >Address Space Layout Randomization (ASLR) and systematic presence of No eXecute and Execute Disable (NX/XD) protection bits.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> > There is no remediation besides installing a 64-bit operating system.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check if kernel nvr arch is 64-bit</span> > <span class="label label-default">oval:ssg-test_proc_sys_kernel_osrelease_64_bit:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/proc/sys/kernel/osrelease</td><td>4.18.0-314.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Check for CPU flag lm</span> > <span class="label label-default">oval:ssg-test_proc_cpuinfo_64_bit:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/proc/cpuinfo</td><td>flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq vmx ssse3 fma cx16 pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves arat umip md_clear arch_capabilities</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" id="rule-detail-idm45662295741104"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set PAM's Password Hashing Algorithmxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth mediumCCE-80893-1 </div><div class="panel-heading"><h3 class="panel-title">Set PAM's Password Hashing Algorithm</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-set_password_hashing_algorithm_systemauth:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80893-1">CCE-80893-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R32)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.4.4</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.2</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000196</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="">0418</a>, <a href="">1055</a>, <a href="">1402</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000073-GPOS-00041</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010160</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230237r627750_rule</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description">The PAM system service can be configured to only store encrypted >representations of passwords. In > ><code>/etc/pam.d/system-auth</code>, > >the ><code>password</code> section of the file controls which PAM modules execute >during a password change. Set the <code>pam_unix.so</code> module in the ><code>password</code> section to include the argument <code>sha512</code>, as shown >below: ><br> > ><pre>password sufficient pam_unix.so sha512 <i>other arguments...</i></pre> > ><br> >This will help ensure when local users change their passwords, hashes for >the new passwords will be generated using the SHA-512 algorithm. This is >the default.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Passwords need to be protected at all times, and encryption is the standard >method for protecting passwords. If passwords are not encrypted, they can >be plainly read (i.e., clear text) and easily compromised. Passwords that >are encrypted with a weak algorithm are no more protected than if they are >kepy in plain text. ><br><br> >This setting ensures user and group account administration utilities are >configured to store only encrypted representations of passwords. >Additionally, the <code>crypt_style</code> configuration option ensures the use >of a strong hashing algorithm that makes password cracking attacks more >difficult.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check /etc/pam.d/system-auth for correct settings</span> > <span class="label label-default">oval:ssg-test_pam_unix_sha512:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2 rounds=65536</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" id="rule-detail-idm45662295726256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure PAM Enforces Password Requirements - Minimum Special Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit mediumCCE-80663-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Enforces Password Requirements - Minimum Special Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_ocredit:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80663-8">CCE-80663-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001619</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000266-GPOS-00101</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020280</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230375r627750_rule</a>, <a href="">SRG-OS-000266-VMM-000940</a></p></td></tr><tr><td>Description</td><td><div class="description">The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for >usage of special (or "other") characters in a password. When set to a negative number, >any password will be required to contain that many special characters. >When set to a positive number, pam_pwquality will grant +1 >additional length credit for each special character. Modify the <code>ocredit</code> setting >in <code>/etc/security/pwquality.conf</code> to equal <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_ocredit">-1</abbr> >to require use of a special character in passwords.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Use of a complex password helps to increase the time and resources required >to compromise the password. Password complexity, or strength, is a measure of >the effectiveness of a password in resisting attempts at guessing and brute-force >attacks. ><br><br> >Password complexity is one factor of several that determines how long it takes >to crack a password. The more complex the password, the greater the number of >possble combinations that need to be tested before the password is compromised. >Requiring a minimum number of special characters makes password guessing attacks >more difficult by ensuring a larger search space.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span> > <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> >password requisite pam_pwquality.so try_first_pass local_users_only</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span> > <span class="label label-default">oval:ssg-test_password_pam_pwquality_ocredit:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/security/pwquality.conf</td><td>ocredit = -1 ></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" id="rule-detail-idm45662295716016"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure PAM Enforces Password Requirements - Minimum Lowercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit mediumCCE-80655-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_lcredit:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80655-4">CCE-80655-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000193</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000070-GPOS-00038</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020120</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230358r627750_rule</a>, <a href="">SRG-OS-000070-VMM-000370</a></p></td></tr><tr><td>Description</td><td><div class="description">The pam_pwquality module's <code>lcredit</code> parameter controls requirements for >usage of lowercase letters in a password. When set to a negative number, any password will be required to >contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional >length credit for each lowercase character. Modify the <code>lcredit</code> setting in ><code>/etc/security/pwquality.conf</code> to require the use of a lowercase character in passwords.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Use of a complex password helps to increase the time and resources required >to compromise the password. Password complexity, or strength, is a measure of >the effectiveness of a password in resisting attempts at guessing and brute-force >attacks. ><br><br> >Password complexity is one factor of several that determines how long it takes >to crack a password. The more complex the password, the greater the number of >possble combinations that need to be tested before the password is compromised. >Requiring a minimum number of lowercase characters makes password guessing attacks >more difficult by ensuring a larger search space.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span> > <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> >password requisite pam_pwquality.so try_first_pass local_users_only</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span> > <span class="label label-default">oval:ssg-test_password_pam_pwquality_lcredit:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/security/pwquality.conf</td><td>lcredit = -1 ></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" id="rule-detail-idm45662295711184"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure PAM Enforces Password Requirements - Minimum Digit Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit mediumCCE-80653-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Enforces Password Requirements - Minimum Digit Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_dcredit:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80653-9">CCE-80653-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000194</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000071-GPOS-00039</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020130</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230359r627750_rule</a>, <a href="">SRG-OS-000071-VMM-000380</a></p></td></tr><tr><td>Description</td><td><div class="description">The pam_pwquality module's <code>dcredit</code> parameter controls requirements for >usage of digits in a password. When set to a negative number, any password will be required to >contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional >length credit for each digit. Modify the <code>dcredit</code> setting in ><code>/etc/security/pwquality.conf</code> to require the use of a digit in passwords.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Use of a complex password helps to increase the time and resources required >to compromise the password. Password complexity, or strength, is a measure of >the effectiveness of a password in resisting attempts at guessing and brute-force >attacks. ><br><br> >Password complexity is one factor of several that determines how long it takes >to crack a password. The more complex the password, the greater the number of >possible combinations that need to be tested before the password is compromised. >Requiring digits makes password guessing attacks more difficult by ensuring a larger >search space.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span> > <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> >password requisite pam_pwquality.so try_first_pass local_users_only</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span> > <span class="label label-default">oval:ssg-test_password_pam_pwquality_dcredit:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/security/pwquality.conf</td><td>dcredit = -1 ></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" id="rule-detail-idm45662295706352"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure PAM Enforces Password Requirements - Minimum Uppercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit mediumCCE-80665-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_ucredit:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80665-3">CCE-80665-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000192</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000069-GPOS-00037</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020110</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230357r627750_rule</a>, <a href="">SRG-OS-000069-VMM-000360</a></p></td></tr><tr><td>Description</td><td><div class="description">The pam_pwquality module's <code>ucredit=</code> parameter controls requirements for >usage of uppercase letters in a password. When set to a negative number, any password will be required to >contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional >length credit for each uppercase character. Modify the <code>ucredit</code> setting in ><code>/etc/security/pwquality.conf</code> to require the use of an uppercase character in passwords.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Use of a complex password helps to increase the time and resources reuiqred to compromise the password. >Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts >at guessing and brute-force attacks. ><br><br> >Password complexity is one factor of several that determines how long it takes to crack a password. The more >complex the password, the greater the number of possible combinations that need to be tested before >the password is compromised.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span> > <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> >password requisite pam_pwquality.so try_first_pass local_users_only</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span> > <span class="label label-default">oval:ssg-test_password_pam_pwquality_ucredit:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/security/pwquality.conf</td><td>ucredit = -1 ></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" id="rule-detail-idm45662295701520"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure PAM Enforces Password Requirements - Minimum Lengthxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen mediumCCE-80656-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Enforces Password Requirements - Minimum Length</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_minlen:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80656-2">CCE-80656-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.4.1</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000205</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000078-GPOS-00046</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020230</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230369r627750_rule</a>, <a href="">SRG-OS-000072-VMM-000390</a>, <a href="">SRG-OS-000078-VMM-000450</a></p></td></tr><tr><td>Description</td><td><div class="description">The pam_pwquality module's <code>minlen</code> parameter controls requirements for >minimum characters required in a password. Add <code>minlen=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_minlen">18</abbr></code> >after pam_pwquality to set minimum password length requirements.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The shorter the password, the lower the number of possible combinations >that need to be tested before the password is compromised. ><br> >Password complexity, or strength, is a measure of the effectiveness of a >password in resisting attempts at guessing and brute-force attacks. >Password length is one factor of several that helps to determine strength >and how long it takes to crack a password. Use of more characters in a password >helps to exponentially increase the time and/or resources required to >compromose the password.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span> > <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> >password requisite pam_pwquality.so try_first_pass local_users_only</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span> > <span class="label label-default">oval:ssg-test_password_pam_pwquality_minlen:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/security/pwquality.conf</td><td>minlen = 18 ></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" id="rule-detail-idm45662295693984"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Interval For Counting Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval mediumCCE-80669-5 </div><div class="panel-heading"><h3 class="panel-title">Set Interval For Counting Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_passwords_pam_faillock_interval:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80669-5">CCE-80669-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000044</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002236</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002237</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002238</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000329-GPOS-00128</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020012</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230334r627750_rule</a>, <a href="">SRG-OS-000021-VMM-000050</a></p></td></tr><tr><td>Description</td><td><div class="description">Utilizing <code>pam_faillock.so</code>, the <code>fail_interval</code> directive >configures the system to lock out an account after a number of incorrect >login attempts within a specified time period. Modify the content of both ><code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> >as follows: ><br><br> ><ul><li>Add the following line immediately <code>before</code> the > <code>pam_unix.so</code> statement in the <code>AUTH</code> section: ><pre>auth required pam_faillock.so preauth silent deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">900</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre> ></li><li>Add the following line immediately <code>after</code> the > <code>pam_unix.so</code> statement in the <code>AUTH</code> section: ><pre>auth [default=die] pam_faillock.so authfail deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">900</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr> ></pre> ></li><li>Add the following line immediately <code>before</code> the > <code>pam_unix.so</code> statement in the <code>ACCOUNT</code> section: ><pre>account required pam_faillock.so</pre> ></li></ul></div></td></tr><tr><td>Rationale</td><td><div class="rationale">By limiting the number of failed logon attempts the risk of unauthorized system >access via user password guessing, otherwise known as brute-forcing, is reduced. >Limits are imposed by locking the account.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check maximum preauth fail_interval allowed in /etc/pam.d/system-auth</span> > <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_system-auth:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr></tbody></table><h4><span class="label label-primary">check maximum authfail fail_interval allowed in /etc/pam.d/system-auth</span> > <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_authfail_fail_interval_system-auth:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr></tbody></table><h4><span class="label label-primary">check maximum authfail fail_interval allowed in /etc/pam.d/password-auth</span> > <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_password-auth:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr></tbody></table><h4><span class="label label-primary">check maximum preauth fail_interval allowed in /etc/pam.d/password-auth</span> > <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_preauth_fail_interval_password-auth:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr></tbody></table><h4><span class="label label-primary">check if pam_faillock.so is required in account section in /etc/pam.d/password-auth</span> > <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_account_requires_password-auth:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td> >account required pam_faillock.so</td></tr></tbody></table><h4><span class="label label-primary">check if pam_faillock.so is required in account section in /etc/pam.d/system-auth</span> > <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_account_requires_system-auth:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> >account required pam_faillock.so</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" id="rule-detail-idm45662295689088"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Limit Password Reusexccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember mediumCCE-80666-1 </div><div class="panel-heading"><h3 class="panel-title">Limit Password Reuse</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_unix_remember:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80666-1">CCE-80666-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.4.3</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000200</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(e)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000077-GPOS-00045</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020220</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230368r627750_rule</a>, <a href="">SRG-OS-000077-VMM-000440</a></p></td></tr><tr><td>Description</td><td><div class="description">Do not allow users to reuse recent passwords. This can be >accomplished by using the <code>remember</code> option for the <code>pam_unix</code> >or <code>pam_pwhistory</code> PAM modules. ><br><br> >In the file <code>/etc/pam.d/system-auth</code>, append <code>remember=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_remember">2</abbr></code> >to the line which refers to the <code>pam_unix.so</code> or <code>pam_pwhistory.so</code>module, as shown below: ><ul><li>for the <code>pam_unix.so</code> case: ><pre>password sufficient pam_unix.so <i>...existing_options...</i> remember=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_remember">2</abbr></pre> ></li><li>for the <code>pam_pwhistory.so</code> case: ><pre>password requisite pam_pwhistory.so <i>...existing_options...</i> remember=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_remember">2</abbr></pre> ></li></ul> >The DoD STIG requirement is 5 passwords.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Test if remember attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth</span> > <span class="label label-default">oval:ssg-test_accounts_password_pam_unix_remember:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2 rounds=65536</td></tr></tbody></table><h4><span class="label label-primary">Test if remember attribute of pam_pwhistory.so is set correctly in /etc/pam.d/system-auth</span> > <span class="label label-default">oval:ssg-test_accounts_password_pam_pwhistory_remember:tst:1</span> > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_password_pam_pwhistory_remember:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so.*remember=([0-9]*).*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" id="rule-detail-idm45662295684240"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Lockout Time for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time mediumCCE-80670-3 </div><div class="panel-heading"><h3 class="panel-title">Set Lockout Time for Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80670-3">CCE-80670-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.4.2</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.3</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000044</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002236</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002237</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002238</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000329-GPOS-00128</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020014</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230336r627750_rule</a>, <a href="">SRG-OS-000329-VMM-001180</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure the system to lock out accounts after a number of incorrect login >attempts and require an administrator to unlock the account using <code>pam_faillock.so</code>, >modify the content of both <code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows: ><br><br> ><ul><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: ><pre>auth required pam_faillock.so preauth silent deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">900</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>after</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: ><pre>auth [default=die] pam_faillock.so authfail deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">900</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>ACCOUNT</code> section: ><pre>account required pam_faillock.so</pre></li></ul> >If <code>unlock_time</code> is set to <code>0</code>, manual intervention by an administrator is required to unlock a user.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Locking out user accounts after a number of incorrect attempts >prevents direct password guessing attacks. Ensuring that an administrator is >involved in unlocking locked accounts draws appropriate attention to such >situations.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check if external variable unlock time is never</span> > <span class="label label-default">oval:ssg-test_var_faillock_unlock_time_is_never:tst:1</span> > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_accounts_passwords_pam_faillock_unlock_time:var:1</td><td>900</td></tr></tbody></table><h4><span class="label label-primary">Check if unlock time is never</span> > <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_is_never:tst:1</span> > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr><tr><td>/etc/pam.d/system-auth</td><td>auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr><tr><td>/etc/pam.d/system-auth</td><td>auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr><tr><td>/etc/pam.d/password-auth</td><td>auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr></tbody></table><h4><span class="label label-primary">Check if external variable unlock time is never</span> > <span class="label label-default">oval:ssg-test_var_faillock_unlock_time_is_never:tst:1</span> > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_accounts_passwords_pam_faillock_unlock_time:var:1</td><td>900</td></tr></tbody></table><h4><span class="label label-primary">Check if unlock time is never, or greater than or equal external variable</span> > <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_greater_or_equal_ext_var:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr><tr><td>/etc/pam.d/system-auth</td><td>auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr><tr><td>/etc/pam.d/system-auth</td><td>auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr><tr><td>/etc/pam.d/password-auth</td><td>auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" id="rule-detail-idm45662295679328"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Deny For Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny mediumCCE-80667-9 </div><div class="panel-heading"><h3 class="panel-title">Set Deny For Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_passwords_pam_faillock_deny:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80667-9">CCE-80667-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.4.2</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.3</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000044</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002236</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002237</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002238</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.6</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000329-GPOS-00128</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020010</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230332r627750_rule</a>, <a href="">SRG-OS-000021-VMM-000050</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure the system to lock out accounts after a number of incorrect login >attempts using <code>pam_faillock.so</code>, modify the content of both ><code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows: ><br><br> ><ul><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: ><pre>auth required pam_faillock.so preauth silent deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">900</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>after</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: ><pre>auth [default=die] pam_faillock.so authfail deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">900</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>ACCOUNT</code> section: ><pre>account required pam_faillock.so</pre></li></ul></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Locking out user accounts after a number of incorrect attempts >prevents direct password guessing attacks.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check pam_faillock.so preauth silent present, with correct deny value, and is followed by pam_unix.</span> > <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_system-auth:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> >auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root >auth sufficient pam_unix.so nullok try_first_pass ></td></tr></tbody></table><h4><span class="label label-primary">Check if pam_faillock.so is called in account phase before pam_unix</span> > <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_account_phase_system-auth:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> > >account required pam_faillock.so >account required pam_unix.so ></td></tr></tbody></table><h4><span class="label label-primary">Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth, has correct deny value, and is followed by pam_unix</span> > <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_password-auth:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td> >auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root >auth sufficient pam_unix.so nullok try_first_pass ></td></tr></tbody></table><h4><span class="label label-primary">Check if pam_faillock_so is called in account phase before pam_unix.</span> > <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_account_phase_password-auth:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td> > >account required pam_faillock.so >account required pam_unix.so ></td></tr></tbody></table><h4><span class="label label-primary">Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value</span> > <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_numeric_default_check_system-auth:tst:1</span> > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Is pam_faillock not skipped?">oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_system-auth:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin</td><td>/etc/pam.d/system-auth</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check control values of pam_unix, that it is followed by pam_faillock.so authfail and deny value of pam_faillock.so authfail</span> > <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_system-auth:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> >auth sufficient pam_unix.so nullok try_first_pass >auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3</td></tr></tbody></table><h4><span class="label label-primary">Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value</span> > <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_numeric_default_check_password-auth:tst:1</span> > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Is pam_faillock not skipped?">oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_password-auth:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin</td><td>/etc/pam.d/password-auth</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check pam_faillock authfail is present after pam_unix, check pam_unix has proper control values, and authfail deny value is correct.</span> > <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_password-auth:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td> >auth sufficient pam_unix.so nullok try_first_pass >auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" id="rule-detail-idm45662295674464"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure the root Account for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root mediumCCE-80668-7 </div><div class="panel-heading"><h3 class="panel-title">Configure the root Account for Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_passwords_pam_faillock_deny_root:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80668-7">CCE-80668-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002238</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000044</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000329-GPOS-00128</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020022</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230344r646874_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure the system to lock out the <code>root</code> account after a >number of incorrect login attempts using <code>pam_faillock.so</code>, modify >the content of both <code>/etc/pam.d/system-auth</code> and ><code>/etc/pam.d/password-auth</code> as follows: ><br><br> ><ul><li>Modify the following line in the <code>AUTH</code> section to add ><code>even_deny_root</code>: ><pre>auth required pam_faillock.so preauth silent <b>even_deny_root</b> deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">900</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li>Modify the following line in the <code>AUTH</code> section to add ><code>even_deny_root</code>: ><pre>auth [default=die] pam_faillock.so authfail <b>even_deny_root</b> deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">900</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre> ></li></ul></div></td></tr><tr><td>Rationale</td><td><div class="rationale">By limiting the number of failed logon attempts, the risk of unauthorized system access via user password >guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check pam_faillock.so preauth silent present in /etc/pam.d/system-auth</span> > <span class="label label-default">oval:ssg-test_pam_faillock_preauth_silent_system-auth:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> >auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root >auth sufficient pam_unix.so nullok try_first_pass ></td></tr></tbody></table><h4><span class="label label-primary">Check maximum failed login attempts allowed in /etc/pam.d/system-auth (authfail)</span> > <span class="label label-default">oval:ssg-test_pam_faillock_authfail_deny_root_system-auth:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> >auth sufficient pam_unix.so nullok try_first_pass >auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root ></td></tr></tbody></table><h4><span class="label label-primary">Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth</span> > <span class="label label-default">oval:ssg-test_pam_faillock_preauth_silent_password-auth:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td> >auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root >auth sufficient pam_unix.so nullok try_first_pass ></td></tr></tbody></table><h4><span class="label label-primary">Check maximum failed login attempts allowed in /etc/pam.d/password-auth (authfail)</span> > <span class="label label-default">oval:ssg-test_pam_faillock_authfail_deny_root_password-auth:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td> >auth sufficient pam_unix.so nullok try_first_pass >auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root ></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_enable_pam_namespace" id="rule-detail-idm45662295750512"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Up a Private Namespace in PAM Configurationxccdf_org.ssgproject.content_rule_enable_pam_namespace lowCCE-83744-3 </div><div class="panel-heading"><h3 class="panel-title">Set Up a Private Namespace in PAM Configuration</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_enable_pam_namespace</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-enable_pam_namespace:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83744-3">CCE-83744-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R39)</a></p></td></tr><tr><td>Description</td><td><div class="description">To setup a private namespace add the following line to <code>/etc/pam.d/login</code>: ><pre>session required pam_namespace.so</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The pam_namespace PAM module sets up a private namespace for a >session with polyinstantiated directories. A polyinstantiated directory >provides a different instance of itself based on user name, or when using >SELinux, user name, security context or both. The polyinstatied directories >can be used to dedicate separate temporary directories to each account.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the presence of pam_namespace.so module in the /etc/pam.d/login file</span> > <span class="label label-default">oval:ssg-test_enable_pam_namespace:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/login</td><td>session required pam_namespace.so</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" id="rule-detail-idm45662295619072"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Minimum Length in login.defsxccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs mediumCCE-80652-1 </div><div class="panel-heading"><h3 class="panel-title">Set Password Minimum Length in login.defs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_minlen_login_defs:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80652-1">CCE-80652-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000205</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000078-GPOS-00046</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020231</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230370r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To specify password length requirements for new accounts, edit the file ><code>/etc/login.defs</code> and add or correct the following line: ><pre>PASS_MIN_LEN <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs">18</abbr></pre> ><br><br> >The DoD requirement is <code>15</code>. >The FISMA requirement is <code>12</code>. >The profile requirement is ><code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs">18</abbr></code>. >If a program consults <code>/etc/login.defs</code> and also another PAM module >(such as <code>pam_pwquality</code>) during a password change operation, then >the most restrictive must be satisfied. See PAM section for more >information about enforcing password quality requirements.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Requiring a minimum password length makes password >cracking attacks more difficult by ensuring a larger >search space. However, any security benefit from an onerous requirement >must be carefully weighed against usability problems, support costs, or counterproductive >behavior that may result.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">The value of PASS_MIN_LEN should be set appropriately in /etc/login.defs</span> > <span class="label label-default">oval:ssg-test_pass_min_len:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_last_pass_min_len_instance_value:var:1</td><td>18</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" id="rule-detail-idm45662295614208"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Maximum Agexccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs mediumCCE-80647-1 </div><div class="panel-heading"><h3 class="panel-title">Set Password Maximum Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_maximum_age_login_defs:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80647-1">CCE-80647-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.5.1.1</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000199</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="">0418</a>, <a href="">1055</a>, <a href="">1402</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000076-GPOS-00044</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020200</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230366r646878_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To specify password maximum age for new accounts, >edit the file <code>/etc/login.defs</code> >and add or correct the following line: ><pre>PASS_MAX_DAYS <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs">90</abbr></pre> >A value of 180 days is sufficient for many environments. >The DoD requirement is 60. >The profile requirement is <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs">90</abbr></code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Any password, no matter how complex, can eventually be cracked. Therefore, passwords >need to be changed periodically. If the operating system does not limit the lifetime >of passwords and force users to change their passwords, there is the risk that the >operating system passwords could be compromised. ><br><br> >Setting the password maximum age ensures users are required to >periodically change their passwords. Requiring shorter password lifetimes >increases the risk of users writing down the password in a convenient >location subject to physical compromise.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs</span> > <span class="label label-default">oval:ssg-test_pass_max_days:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_last_pass_max_days_instance_value:var:1</td><td>90</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_no_direct_root_logins" id="rule-detail-idm45662295586288"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Direct root Logins Not Allowedxccdf_org.ssgproject.content_rule_no_direct_root_logins mediumCCE-80840-2 </div><div class="panel-heading"><h3 class="panel-title">Direct root Logins Not Allowed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_direct_root_logins</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-no_direct_root_logins:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80840-2">CCE-80840-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R19)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.6</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.6</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a></p></td></tr><tr><td>Description</td><td><div class="description">To further limit access to the <code>root</code> account, administrators >can disable root logins at the console by editing the <code>/etc/securetty</code> file. >This file lists all devices the root user is allowed to login to. If the file does >not exist at all, the root user can login through any communication device on the >system, whether via the console or via a raw network interface. This is dangerous >as user can login to the system as root via Telnet, which sends the password in >plain text over the network. By default, Red Hat Enterprise Linux 8's ><code>/etc/securetty</code> file only allows the root user to login at the console >physically attached to the system. To prevent root from logging in, remove the >contents of this file. To prevent direct root logins, remove the contents of this >file by typing the following command: ><pre> >$ sudo echo > /etc/securetty ></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Disabling direct root logins ensures proper accountability and multifactor >authentication to privileged accounts. Users will first login, then escalate >to privileged (root) access via su / sudo. This is required for FISMA Low >and FISMA Moderate systems.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">no entries in /etc/securetty</span> > <span class="label label-default">oval:ssg-test_no_direct_root_logins:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/securetty</td><td></td></tr></tbody></table><h4><span class="label label-primary">/etc/securetty file exists</span> > <span class="label label-default">oval:ssg-test_etc_securetty_exists:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/securetty</td><td></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth" id="rule-detail-idm45662295548528"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set number of Password Hashing Rounds - system-authxccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth mediumCCE-83386-3 </div><div class="panel-heading"><h3 class="panel-title">Set number of Password Hashing Rounds - system-auth</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_unix_rounds_system_auth:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83386-3">CCE-83386-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R32)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000196</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000073-GPOS-00041</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010130</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230233r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">Configure the number or rounds for the password hashing algorithm. This can be >accomplished by using the <code>rounds</code> option for the <code>pam_unix</code> PAM module. ><br><br> >In file <code>/etc/pam.d/system-auth</code> append <code>rounds=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_rounds">65536</abbr></code> >to the <code>pam_unix.so</code> file, as shown below: ><pre>password sufficient pam_unix.so <i>...existing_options...</i> rounds=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_rounds">65536</abbr></pre> >The system's default number of rounds is 5000.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Using a higher number of rounds makes password cracking attacks more difficult.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> > Setting a high number of hashing rounds makes it more difficult to brute force the password, >but requires more CPU resources to authenticate users.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Test if rounds attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth</span> > <span class="label label-default">oval:ssg-test_system_auth_pam_unix_rounds_is_set:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2 rounds=65536</td></tr></tbody></table><h4><span class="label label-primary">Test if rounds attribute of pam_unix.so is not set in /etc/pam.d/system-auth</span> > <span class="label label-default">oval:ssg-test_system_auth_pam_unix_rounds_is_default:tst:1</span> > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2 rounds=65536</td></tr></tbody></table><h4><span class="label label-primary">Check if value of var_password_pam_unix_rounds is the system's default</span> > <span class="label label-default">oval:ssg-test_system_auth_default_pam_unix_rounds_var:tst:1</span> > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_password_pam_unix_rounds:var:1</td><td>65536</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth" id="rule-detail-idm45662295540944"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set number of Password Hashing Rounds - password-authxccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth mediumCCE-83403-6 </div><div class="panel-heading"><h3 class="panel-title">Set number of Password Hashing Rounds - password-auth</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_unix_rounds_password_auth:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83403-6">CCE-83403-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R32)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000196</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000073-GPOS-00041</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010130</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230233r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">Configure the number or rounds for the password hashing algorithm. This can be >accomplished by using the <code>rounds</code> option for the <code>pam_unix</code> PAM module. ><br><br> >In file <code>/etc/pam.d/password-auth</code> append <code>rounds=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_rounds">65536</abbr></code> >to the <code>pam_unix.so</code> file, as shown below: ><pre>password sufficient pam_unix.so <i>...existing_options...</i> rounds=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_rounds">65536</abbr></pre> >The system's default number of rounds is 5000.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Using a higher number of rounds makes password cracking attacks more difficult.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> > Setting a high number of hashing rounds makes it more difficult to brute force the password, >but requires more CPU resources to authenticate users.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Test if rounds attribute of pam_unix.so is set correctly in /etc/pam.d/password-auth</span> > <span class="label label-default">oval:ssg-test_password_auth_pam_unix_rounds_is_set:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2 rounds=65536</td></tr></tbody></table><h4><span class="label label-primary">Test if rounds attribute of pam_unix.so is not set in /etc/pam.d/password-auth</span> > <span class="label label-default">oval:ssg-test_password_auth_pam_unix_rounds_is_default:tst:1</span> > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2 rounds=65536</td></tr></tbody></table><h4><span class="label label-primary">Check if value of var_password_pam_unix_rounds is the system's default</span> > <span class="label label-default">oval:ssg-test_password_auth_default_pam_unix_rounds_var:tst:1</span> > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_password_pam_unix_rounds:var:1</td><td>65536</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc" id="rule-detail-idm45662295476320"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure the Default Bash Umask is Set Correctlyxccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc mediumCCE-81036-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure the Default Bash Umask is Set Correctly</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_umask_etc_bashrc:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81036-6">CCE-81036-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R35)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.5.4</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.03</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.5</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00228</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020353</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230385r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To ensure the default umask for users of the Bash shell is set properly, >add or correct the <code>umask</code> setting in <code>/etc/bashrc</code> to read >as follows: ><pre>umask <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_user_umask">077</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The umask value influences the permissions assigned to files when they are created. >A misconfigured umask value could result in files with excessive permissions that can be read or >written to by unauthorized users.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify the existence of var_accounts_user_umask_as_number variable</span> > <span class="label label-default">oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_accounts_user_umask_umask_as_number:var:1</td><td>63</td></tr></tbody></table><h4><span class="label label-primary">Test the retrieved /etc/bashrc umask value(s) match the var_accounts_user_umask requirement</span> > <span class="label label-default">oval:ssg-tst_accounts_umask_etc_bashrc:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_etc_bashrc_umask_as_number:var:1</td><td>63</td><td>63</td><td>63</td><td>63</td><td>63</td><td>63</td><td>63</td><td>63</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" id="rule-detail-idm45662295468784"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure the Default Umask is Set Correctly in /etc/profilexccdf_org.ssgproject.content_rule_accounts_umask_etc_profile unknownCCE-81035-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure the Default Umask is Set Correctly in /etc/profile</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_umask_etc_profile:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81035-8">CCE-81035-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R35)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.5.4</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.03</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.5</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00228</a></p></td></tr><tr><td>Description</td><td><div class="description">To ensure the default umask controlled by <code>/etc/profile</code> is set properly, >add or correct the <code>umask</code> setting in <code>/etc/profile</code> to read as follows: ><pre>umask <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_user_umask">077</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The umask value influences the permissions assigned to files when they are created. >A misconfigured umask value could result in files with excessive permissions that can be read or >written to by unauthorized users.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify the existence of var_accounts_user_umask_as_number variable</span> > <span class="label label-default">oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_accounts_user_umask_umask_as_number:var:1</td><td>63</td></tr></tbody></table><h4><span class="label label-primary">Test the retrieved /etc/profile umask value(s) match the var_accounts_user_umask requirement</span> > <span class="label label-default">oval:ssg-tst_accounts_umask_etc_profile:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_etc_profile_umask_as_number:var:1</td><td>63</td><td>63</td><td>63</td><td>63</td><td>63</td><td>63</td><td>63</td><td>63</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" id="rule-detail-idm45662295463952"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure the Default Umask is Set Correctly in login.defsxccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs mediumCCE-82888-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure the Default Umask is Set Correctly in login.defs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_umask_etc_login_defs:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82888-9">CCE-82888-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R35)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.5</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00228</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020351</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230383r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To ensure the default umask controlled by <code>/etc/login.defs</code> is set properly, >add or correct the <code>UMASK</code> setting in <code>/etc/login.defs</code> to read as follows: ><pre>UMASK <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_user_umask">077</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The umask value influences the permissions assigned to files when they are created. >A misconfigured umask value could result in files with excessive permissions that can be read and >written to by unauthorized users.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify the existence of var_accounts_user_umask_as_number variable</span> > <span class="label label-default">oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_accounts_user_umask_umask_as_number:var:1</td><td>63</td></tr></tbody></table><h4><span class="label label-primary">Test the retrieved /etc/login.defs umask value(s) match the var_accounts_user_umask requirement</span> > <span class="label label-default">oval:ssg-tst_accounts_umask_etc_login_defs:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_etc_login_defs_umask_as_number:var:1</td><td>63</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp" id="rule-detail-idm45662295525840"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Polyinstantiation of /tmp Directoriesxccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp lowCCE-83732-8 </div><div class="panel-heading"><h3 class="panel-title">Configure Polyinstantiation of /tmp Directories</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_polyinstantiated_tmp:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83732-8">CCE-83732-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R39)</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure polyinstantiated /tmp directories, first create the parent directories >which will hold the polyinstantiation child directories. Use the following command: ><pre>$ sudo mkdir --mode 000 /tmp/tmp-inst</pre> >Then, add the following entry to <code>/etc/security/namespace.conf</code>: ><pre>/tmp /tmp/tmp-inst/ level root,adm</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Polyinstantiation of temporary directories is a proactive security measure >which reduces chances of attacks that are made possible by /tmp >directories being world-writable.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check that /tmp/tmp-inst exists and has mode 000</span> > <span class="label label-default">oval:ssg-test_tmp_inst:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/tmp/tmp-inst/</td><td>directory</td><td>0</td><td>0</td><td>57</td><td><code>--------- </code></td></tr></tbody></table><h4><span class="label label-primary">Check configuration of /tmp in /etc/security/namespace.conf file</span> > <span class="label label-default">oval:ssg-test_tmp_in_namespace_conf:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/security/namespace.conf</td><td>/tmp /tmp/tmp-inst/ level root,adm</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp" id="rule-detail-idm45662295500832"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Polyinstantiation of /var/tmp Directoriesxccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp lowCCE-83778-1 </div><div class="panel-heading"><h3 class="panel-title">Configure Polyinstantiation of /var/tmp Directories</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_polyinstantiated_var_tmp:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83778-1">CCE-83778-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R39)</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure polyinstantiated /tmp directories, first create the parent directories >which will hold the polyinstantiation child directories. Use the following command: ><pre>$ sudo mkdir --mode 000 /var/tmp/tmp-inst</pre> >Then, add the following entry to <code>/etc/security/namespace.conf</code>: ><pre>/var/tmp /var/tmp/tmp-inst/ level root,adm</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Polyinstantiation of temporary directories is a proactive security measure >which reduces chances of attacks that are made possible by /var/tmp >directories being world-writable.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check that /tmp-inst exists and has mode 000</span> > <span class="label label-default">oval:ssg-test_var_tmp_tmp_inst:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/var/tmp/tmp-inst/</td><td>directory</td><td>0</td><td>0</td><td>57</td><td><code>--------- </code></td></tr></tbody></table><h4><span class="label label-primary">Check configuration of /tmp in /etc/security/namespace.conf file</span> > <span class="label label-default">oval:ssg-test_var_tmp_in_namespace_conf:tst:1</span> > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/security/namespace.conf</td><td>/var/tmp /var/tmp/tmp-inst/ level root,adm</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_tmout" id="rule-detail-idm45662295496832"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Interactive Session Timeoutxccdf_org.ssgproject.content_rule_accounts_tmout mediumCCE-80673-7 </div><div class="panel-heading"><h3 class="panel-title">Set Interactive Session Timeout</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_tmout</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_tmout:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80673-7">CCE-80673-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R29)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.5.3</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000057</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002361</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000163-GPOS-00072</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000029-GPOS-00010</a>, <a href="">SRG-OS-000163-VMM-000700</a>, <a href="">SRG-OS-000279-VMM-001010</a></p></td></tr><tr><td>Description</td><td><div class="description">Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that >all user sessions will terminate based on inactivity. The <code>TMOUT</code> > >setting in a file loaded by <code>/etc/profile</code>, e.g. ><code>/etc/profile.d/tmout.sh</code> should read as follows: ><pre>TMOUT=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_tmout">600</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Terminating an idle session within a short time period reduces >the window of opportunity for unauthorized personnel to take control of a >management session enabled on the console or console port that has been >left unattended.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">TMOUT in /etc/profile</span>Â > <span class="label label-default">oval:ssg-test_etc_profile_tmout:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_etc_profile_tmout:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/profile</td><td>^[\s]*TMOUT=([\w$]+).*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">TMOUT in /etc/profile.d/*.sh</span>Â > <span class="label label-default">oval:ssg-test_etc_profiled_tmout:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/profile.d/tmout.sh</td><td>TMOUT=600</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" id="rule-detail-idm45662295094256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - sudoxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo mediumCCE-80737-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - sudo</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_privileged_commands_sudo:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80737-0">CCE-80737-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R19)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.2.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="">SRG-OS-000471-VMM-001910</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect the execution of >privileged commands for all users and root. If the <code>auditd</code> daemon is >configured to use the <code>augenrules</code> program to read audit rules during >daemon startup (the default), add a line of the following form to a file with >suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add a line of the following >form to <code>/etc/audit/audit.rules</code>: ><pre>-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threats. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â > <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules sudo</span>Â > <span class="label label-default">oval:ssg-test_audit_rules_privileged_commands_sudo_augenrules:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/rules.d/privileged.rules</td><td>-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged ></td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â > <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl sudo</span>Â > <span class="label label-default">oval:ssg-test_audit_rules_privileged_commands_sudo_auditctl:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged > ></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" id="rule-detail-idm45662294879648"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Kernel Parameter for Accepting Secure Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects mediumCCE-81017-6 </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting Secure Redirects By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81017-6">CCE-81017-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.3</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.default.secure_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.default.secure_redirects = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Accepting "secure" ICMP redirects (from those gateways listed as >default gateways) has few legitimate uses. It should be disabled unless it is >absolutely required.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.default.secure_redirects static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_default_secure_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-81017-6: Set net.ipv4.conf.default.secure_redirects = 0 in /etc/sysctl.conf >net.ipv4.conf.default.secure_redirects = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_secure_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-81017-6: Set net.ipv4.conf.default.secure_redirects = 0 in /etc/sysctl.conf >net.ipv4.conf.default.secure_redirects = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_secure_redirects:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_secure_redirects:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_secure_redirects:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_secure_redirects:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.default.secure_redirects set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_secure_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.default.secure_redirects</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" id="rule-detail-idm45662294874736"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Accepting ICMP Redirects for All IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects mediumCCE-80917-8 </div><div class="panel-heading"><h3 class="panel-title">Disable Accepting ICMP Redirects for All IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80917-8">CCE-80917-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.2</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001503</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040280</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230544r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.all.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.all.accept_redirects = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">ICMP redirect messages are used by routers to inform hosts that a more >direct route exists for a particular destination. These messages modify the >host's route table and are unauthenticated. An illicit ICMP redirect >message could result in a man-in-the-middle attack. ><br> >This feature of the IPv4 protocol has few legitimate uses. It should be >disabled unless absolutely required."</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.all.accept_redirects static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_all_accept_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-80917-8: Set net.ipv4.conf.all.accept_redirects = 0 in /etc/sysctl.conf >net.ipv4.conf.all.accept_redirects = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_accept_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-80917-8: Set net.ipv4.conf.all.accept_redirects = 0 in /etc/sysctl.conf >net.ipv4.conf.all.accept_redirects = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_accept_redirects:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_accept_redirects:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_accept_redirects:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_accept_redirects:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_accept_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.all.accept_redirects</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" id="rule-detail-idm45662294867760"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route mediumCCE-80920-2 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80920-2">CCE-80920-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.1</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040250</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230539r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.default.accept_source_route = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Source-routed packets allow the source of the packet to suggest routers >forward the packet along a different path than configured on the router, >which can be used to bypass network security measures. ><br> >Accepting source-routed packets in the IPv4 protocol has few legitimate >uses. It should be disabled unless it is absolutely required, such as when >IPv4 forwarding is enabled and the system is legitimately functioning as a >router.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.default.accept_source_route static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_default_accept_source_route:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-80920-2: Set net.ipv4.conf.default.accept_source_route = 0 in /etc/sysctl.conf >net.ipv4.conf.default.accept_source_route = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_accept_source_route:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-80920-2: Set net.ipv4.conf.default.accept_source_route = 0 in /etc/sysctl.conf >net.ipv4.conf.default.accept_source_route = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_accept_source_route:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_accept_source_route:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_accept_source_route:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_accept_source_route:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_accept_source_route:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.default.accept_source_route</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" id="rule-detail-idm45662294862832"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies mediumCCE-80923-6 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80923-6">CCE-80923-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.8</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001095</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(3)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000420-GPOS-00186</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000142-GPOS-00071</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.tcp_syncookies</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.tcp_syncookies=1</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.tcp_syncookies = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">A TCP SYN flood attack can cause a denial of service by filling a >system's TCP connection table with connections in the SYN_RCVD state. >Syncookies can be used to track a connection when a subsequent ACK is received, >verifying the initiator is attempting a valid connection and is not a flood >source. This feature is activated when a flood condition is detected, and >enables the system to continue servicing valid connection requests.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.tcp_syncookies static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_tcp_syncookies:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-80923-6: Set net.ipv4.tcp_syncookies = 1 in /etc/sysctl.conf >net.ipv4.tcp_syncookies = 1 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_tcp_syncookies:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-80923-6: Set net.ipv4.tcp_syncookies = 1 in /etc/sysctl.conf >net.ipv4.tcp_syncookies = 1 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_tcp_syncookies:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_tcp_syncookies:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_tcp_syncookies:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_tcp_syncookies:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.tcp_syncookies set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_tcp_syncookies:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.tcp_syncookies</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range" id="rule-detail-idm45662294857984"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Kernel Parameter to Increase Local Port Rangexccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range mediumCCE-84277-3 </div><div class="panel-heading"><h3 class="panel-title">Set Kernel Parameter to Increase Local Port Range</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_ip_local_port_range:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84277-3">CCE-84277-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.ip_local_port_range</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.ip_local_port_range=32768 65535</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.ip_local_port_range = 32768 65535</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">This setting defines the local port range that is used by TCP and UDP to >choose the local port. The first number is the first, the second the last >local port number.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.ip_local_port_range static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_ip_local_port_range:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>net.ipv4.ip_local_port_range = 32768 65535 ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.ip_local_port_range static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_ip_local_port_range:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>net.ipv4.ip_local_port_range = 32768 65535 ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.ip_local_port_range static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_ip_local_port_range:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_ip_local_port_range:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.ip_local_port_range[\s]*=[\s]*32768\s*65535[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.ip_local_port_range static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_ip_local_port_range:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_ip_local_port_range:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.ip_local_port_range[\s]*=[\s]*32768\s*65535[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.ip_local_port_range set to 32768 65535</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_ip_local_port_range:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.ip_local_port_range</td><td>32768 65535</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" id="rule-detail-idm45662294853984"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects mediumCCE-80919-4 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80919-4">CCE-80919-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.2</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040210</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230535r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.default.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.default.accept_redirects = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">ICMP redirect messages are used by routers to inform hosts that a more >direct route exists for a particular destination. These messages modify the >host's route table and are unauthenticated. An illicit ICMP redirect >message could result in a man-in-the-middle attack. ><br>This feature of the IPv4 protocol has few legitimate uses. It should >be disabled unless absolutely required.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.default.accept_redirects static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_default_accept_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-80919-4: Set net.ipv4.conf.default.accept_redirects = 0 in /etc/sysctl.conf >net.ipv4.conf.default.accept_redirects = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_accept_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-80919-4: Set net.ipv4.conf.default.accept_redirects = 0 in /etc/sysctl.conf >net.ipv4.conf.default.accept_redirects = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_accept_redirects:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_accept_redirects:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_accept_redirects:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_accept_redirects:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_accept_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.default.accept_redirects</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" id="rule-detail-idm45662294849072"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians unknownCCE-81018-4 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_all_log_martians:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81018-4">CCE-81018-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.4</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(3)(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.all.log_martians</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.log_martians=1</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.all.log_martians = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of "martian" packets (which have impossible addresses) >as well as spoofed packets, source-routed packets, and redirects could be a >sign of nefarious network activity. Logging these packets enables this activity >to be detected.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.all.log_martians static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_all_log_martians:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-81018-4: Set net.ipv4.conf.all.log_martians = 1 in /etc/sysctl.conf >net.ipv4.conf.all.log_martians = 1 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_log_martians:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-81018-4: Set net.ipv4.conf.all.log_martians = 1 in /etc/sysctl.conf >net.ipv4.conf.all.log_martians = 1 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_log_martians:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_log_martians:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_log_martians:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_log_martians:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.all.log_martians set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_log_martians:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.all.log_martians</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" id="rule-detail-idm45662294844192"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses unknownCCE-81023-4 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81023-4">CCE-81023-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.6</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.icmp_ignore_bogus_error_responses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.icmp_ignore_bogus_error_responses = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Ignoring bogus ICMP error responses reduces >log size, although some activity would not be logged.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.icmp_ignore_bogus_error_responses static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-81023-4: Set net.ipv4.icmp_ignore_bogus_error_responses = 1 in /etc/sysctl.conf >net.ipv4.icmp_ignore_bogus_error_responses = 1 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-81023-4: Set net.ipv4.icmp_ignore_bogus_error_responses = 1 in /etc/sysctl.conf >net.ipv4.icmp_ignore_bogus_error_responses = 1 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_icmp_ignore_bogus_error_responses:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.icmp_ignore_bogus_error_responses</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" id="rule-detail-idm45662294839264"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter mediumCCE-81022-6 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_default_rp_filter:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81022-6">CCE-81022-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.7</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.default.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.default.rp_filter = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Enabling reverse path filtering drops packets with source addresses >that should not have been able to be received on the interface they were >received on. It should not be used on systems which are routers for >complicated networks, but is helpful for end hosts and routers serving small >networks.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.default.rp_filter static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_default_rp_filter:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-81022-6: Set net.ipv4.conf.default.rp_filter = 1 in /etc/sysctl.conf >net.ipv4.conf.default.rp_filter = 1 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_rp_filter:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-81022-6: Set net.ipv4.conf.default.rp_filter = 1 in /etc/sysctl.conf >net.ipv4.conf.default.rp_filter = 1 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_rp_filter:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_rp_filter:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_rp_filter:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_rp_filter:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.default.rp_filter set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_rp_filter:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.default.rp_filter</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" id="rule-detail-idm45662294834368"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects mediumCCE-81016-8 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81016-8">CCE-81016-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.3</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001503</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.all.secure_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.all.secure_redirects = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Accepting "secure" ICMP redirects (from those gateways listed as >default gateways) has few legitimate uses. It should be disabled unless it is >absolutely required.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.all.secure_redirects static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_all_secure_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-81016-8: Set net.ipv4.conf.all.secure_redirects = 0 in /etc/sysctl.conf >net.ipv4.conf.all.secure_redirects = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_secure_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-81016-8: Set net.ipv4.conf.all.secure_redirects = 0 in /etc/sysctl.conf >net.ipv4.conf.all.secure_redirects = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_secure_redirects:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_secure_redirects:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_secure_redirects:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_secure_redirects:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.all.secure_redirects set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_secure_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.all.secure_redirects</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" id="rule-detail-idm45662294829456"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route mediumCCE-81011-9 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81011-9">CCE-81011-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.1</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040240</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230538r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.all.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.all.accept_source_route = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Source-routed packets allow the source of the packet to suggest routers >forward the packet along a different path than configured on the router, >which can be used to bypass network security measures. This requirement >applies only to the forwarding of source-routerd traffic, such as when IPv4 >forwarding is enabled and the system is functioning as a router. ><br><br> >Accepting source-routed packets in the IPv4 protocol has few legitimate >uses. It should be disabled unless it is absolutely required.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.all.accept_source_route static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_all_accept_source_route:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_conf_all_accept_source_route:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_accept_source_route:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_accept_source_route:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_accept_source_route:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_accept_source_route:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_accept_source_route:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d/50-default.conf</td><td># Do not accept source routing >net.ipv4.conf.all.accept_source_route = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_accept_source_route:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.all.accept_source_route</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337" id="rule-detail-idm45662294824544"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337 mediumCCE-84270-8 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_tcp_rfc1337:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84270-8">CCE-84270-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.tcp_rfc1337</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.tcp_rfc1337=1</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.tcp_rfc1337 = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Enable TCP behavior conformant with RFC 1337. When disabled, if a RST is >received in TIME_WAIT state, we close the socket immediately without waiting >for the end of the TIME_WAIT period.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.tcp_rfc1337 static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_tcp_rfc1337:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84270-8: Set net.ipv4.tcp_rfc1337 = 1 in /etc/sysctl.conf >net.ipv4.tcp_rfc1337 = 1 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.tcp_rfc1337 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_tcp_rfc1337:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84270-8: Set net.ipv4.tcp_rfc1337 = 1 in /etc/sysctl.conf >net.ipv4.tcp_rfc1337 = 1 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.tcp_rfc1337 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_tcp_rfc1337:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_tcp_rfc1337:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.tcp_rfc1337[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.tcp_rfc1337 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_tcp_rfc1337:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_tcp_rfc1337:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.tcp_rfc1337[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.tcp_rfc1337 set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_tcp_rfc1337:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.tcp_rfc1337</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" id="rule-detail-idm45662294814256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter mediumCCE-81021-8 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81021-8">CCE-81021-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.7</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040285</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230549r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.all.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.all.rp_filter = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Enabling reverse path filtering drops packets with source addresses >that should not have been able to be received on the interface they were >received on. It should not be used on systems which are routers for >complicated networks, but is helpful for end hosts and routers serving small >networks.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.all.rp_filter static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_all_rp_filter:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_conf_all_rp_filter:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_rp_filter:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_rp_filter:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_rp_filter:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_rp_filter:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_rp_filter:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d/50-default.conf</td><td># Source route verification >net.ipv4.conf.all.rp_filter = 1 > ></td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.all.rp_filter set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_rp_filter:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.all.rp_filter</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" id="rule-detail-idm45662294809392"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects mediumCCE-80921-0 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80921-0">CCE-80921-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.1.2</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040270</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230543r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.default.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.default.send_redirects = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">ICMP redirect messages are used by routers to inform hosts that a more >direct route exists for a particular destination. These messages contain information >from the system's route table possibly revealing portions of the network topology. ><br> >The ability to send ICMP redirects is only appropriate for systems acting as routers.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.default.send_redirects static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_default_send_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>net.ipv4.conf.default.send_redirects = 0 ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_send_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>net.ipv4.conf.default.send_redirects = 0 ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_send_redirects:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_send_redirects:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_send_redirects:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_send_redirects:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_send_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.default.send_redirects</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" id="rule-detail-idm45662294805360"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects mediumCCE-80918-6 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80918-6">CCE-80918-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.1.2</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040220</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230536r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.all.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.all.send_redirects = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">ICMP redirect messages are used by routers to inform hosts that a more >direct route exists for a particular destination. These messages contain information >from the system's route table possibly revealing portions of the network topology. ><br> >The ability to send ICMP redirects is only appropriate for systems acting as routers.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.all.send_redirects static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_all_send_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>net.ipv4.conf.all.send_redirects = 0 ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_send_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>net.ipv4.conf.all.send_redirects = 0 ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_send_redirects:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_send_redirects:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_send_redirects:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_send_redirects:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_send_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.all.send_redirects</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" id="rule-detail-idm45662294801344"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for IP Forwarding on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward mediumCCE-81024-2 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_ip_forward:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81024-2">CCE-81024-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.1.1</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040260</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230540r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.ip_forward</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.ip_forward=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.ip_forward = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Routing protocol daemons are typically used on routers to exchange >network topology information with other routers. If this capability is used when >not required, system network information may be unnecessarily transmitted across >the network.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking. >Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in >profiles or benchmarks that target usage of IPv4 forwarding.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.ip_forward static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_ip_forward:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>net.ipv4.ip_forward = 0 ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_ip_forward:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>net.ipv4.ip_forward = 0 ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_ip_forward:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_ip_forward:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_ip_forward:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_ip_forward:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.ip_forward set to 0</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_ip_forward:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.ip_forward</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" id="rule-detail-idm45662294785744"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects mediumCCE-81010-1 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81010-1">CCE-81010-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.2</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040210</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230535r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.default.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.default.accept_redirects = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit ICMP redirect message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_redirects static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-81010-1: Set net.ipv6.conf.default.accept_redirects = 0 in /etc/sysctl.conf >net.ipv6.conf.default.accept_redirects = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-81010-1: Set net.ipv6.conf.default.accept_redirects = 0 in /etc/sysctl.conf >net.ipv6.conf.default.accept_redirects = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_redirects:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_redirects:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_redirects:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_redirects:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.default.accept_redirects</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref" id="rule-detail-idm45662294780832"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref unknownCCE-84288-0 </div><div class="panel-heading"><h3 class="panel-title">Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:31+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84288-0">CCE-84288-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.all.accept_ra_rtr_pref</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_ra_rtr_pref=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.all.accept_ra_rtr_pref = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit router advertisement message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_rtr_pref static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84288-0: Set net.ipv6.conf.all.accept_ra_rtr_pref = 0 in /etc/sysctl.conf >net.ipv6.conf.all.accept_ra_rtr_pref = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_rtr_pref static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_ra_rtr_pref:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84288-0: Set net.ipv6.conf.all.accept_ra_rtr_pref = 0 in /etc/sysctl.conf >net.ipv6.conf.all.accept_ra_rtr_pref = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_rtr_pref static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_ra_rtr_pref:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_ra_rtr_pref:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_rtr_pref static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra_rtr_pref:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra_rtr_pref:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.accept_ra_rtr_pref set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_ra_rtr_pref:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.accept_ra_rtr_pref</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses" id="rule-detail-idm45662294775920"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses unknownCCE-84257-5 </div><div class="panel-heading"><h3 class="panel-title">Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_default_max_addresses:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:31+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84257-5">CCE-84257-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.default.max_addresses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.max_addresses=1</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.default.max_addresses = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.max_addresses static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_default_max_addresses:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84257-5: Set net.ipv6.conf.default.max_addresses = 1 in /etc/sysctl.conf >net.ipv6.conf.default.max_addresses = 1 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.max_addresses static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_max_addresses:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84257-5: Set net.ipv6.conf.default.max_addresses = 1 in /etc/sysctl.conf >net.ipv6.conf.default.max_addresses = 1 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.max_addresses static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_max_addresses:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_max_addresses:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.max_addresses[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.max_addresses static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_max_addresses:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_max_addresses:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.max_addresses[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.default.max_addresses set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_max_addresses:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.default.max_addresses</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route" id="rule-detail-idm45662294765584"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route mediumCCE-81015-0 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81015-0">CCE-81015-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.1</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040250</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230539r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.default.accept_source_route = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Source-routed packets allow the source of the packet to suggest routers >forward the packet along a different path than configured on the router, which can >be used to bypass network security measures. This requirement applies only to the >forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and >the system is functioning as a router. > >Accepting source-routed packets in the IPv6 protocol has few legitimate >uses. It should be disabled unless it is absolutely required.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_source_route static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_source_route:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-81015-0: Set net.ipv6.conf.default.accept_source_route = 0 in /etc/sysctl.conf >net.ipv6.conf.default.accept_source_route = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_source_route:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-81015-0: Set net.ipv6.conf.default.accept_source_route = 0 in /etc/sysctl.conf >net.ipv6.conf.default.accept_source_route = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_source_route:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_source_route:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_source_route:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_source_route:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_source_route:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.default.accept_source_route</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations" id="rule-detail-idm45662294758592"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Denying Router Solicitations on All IPv6 Interfaces By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations unknownCCE-83477-0 </div><div class="panel-heading"><h3 class="panel-title">Configure Denying Router Solicitations on All IPv6 Interfaces By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_default_router_solicitations:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83477-0">CCE-83477-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.default.router_solicitations</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.router_solicitations=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.default.router_solicitations = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">To prevent discovery of the system by other systems, router solicitation requests should be denied.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.router_solicitations static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_default_router_solicitations:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-83477-0: Set net.ipv6.conf.default.router_solicitations = 0 in /etc/sysctl.conf >net.ipv6.conf.default.router_solicitations = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.router_solicitations static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_router_solicitations:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-83477-0: Set net.ipv6.conf.default.router_solicitations = 0 in /etc/sysctl.conf >net.ipv6.conf.default.router_solicitations = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.router_solicitations static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_router_solicitations:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_router_solicitations:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.router_solicitations static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_router_solicitations:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_router_solicitations:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.default.router_solicitations set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_router_solicitations:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.default.router_solicitations</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" id="rule-detail-idm45662294753664"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route mediumCCE-81013-5 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81013-5">CCE-81013-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.1</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040240</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230538r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.all.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.all.accept_source_route = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Source-routed packets allow the source of the packet to suggest routers >forward the packet along a different path than configured on the router, which can >be used to bypass network security measures. This requirement applies only to the >forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and >the system is functioning as a router. ><br><br> >Accepting source-routed packets in the IPv6 protocol has few legitimate >uses. It should be disabled unless it is absolutely required.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_source_route static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_source_route:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-81013-5: Set net.ipv6.conf.all.accept_source_route = 0 in /etc/sysctl.conf >net.ipv6.conf.all.accept_source_route = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_source_route:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-81013-5: Set net.ipv6.conf.all.accept_source_route = 0 in /etc/sysctl.conf >net.ipv6.conf.all.accept_source_route = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_source_route:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_source_route:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_source_route:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_source_route:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_source_route:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.accept_source_route</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf" id="rule-detail-idm45662294746048"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Auto Configuration on All IPv6 Interfaces By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf unknownCCE-84264-1 </div><div class="panel-heading"><h3 class="panel-title">Configure Auto Configuration on All IPv6 Interfaces By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_default_autoconf:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84264-1">CCE-84264-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.default.autoconf</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.autoconf=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.default.autoconf = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit router advertisement message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.autoconf static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_default_autoconf:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84264-1: Set net.ipv6.conf.default.autoconf = 0 in /etc/sysctl.conf >net.ipv6.conf.default.autoconf = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.autoconf static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_autoconf:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84264-1: Set net.ipv6.conf.default.autoconf = 0 in /etc/sysctl.conf >net.ipv6.conf.default.autoconf = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.autoconf static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_autoconf:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_autoconf:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.autoconf[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.autoconf static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_autoconf:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_autoconf:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.autoconf[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.default.autoconf set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_autoconf:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.default.autoconf</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo" id="rule-detail-idm45662294741168"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo unknownCCE-84280-7 </div><div class="panel-heading"><h3 class="panel-title">Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_all_accept_ra_pinfo:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84280-7">CCE-84280-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.all.accept_ra_pinfo</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.all.accept_ra_pinfo = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit router advertisement message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_pinfo static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_ra_pinfo:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84280-7: Set net.ipv6.conf.all.accept_ra_pinfo = 0 in /etc/sysctl.conf >net.ipv6.conf.all.accept_ra_pinfo = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_pinfo static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_ra_pinfo:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84280-7: Set net.ipv6.conf.all.accept_ra_pinfo = 0 in /etc/sysctl.conf >net.ipv6.conf.all.accept_ra_pinfo = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_pinfo static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_ra_pinfo:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_ra_pinfo:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_pinfo static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra_pinfo:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra_pinfo:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.accept_ra_pinfo set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_ra_pinfo:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.accept_ra_pinfo</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf" id="rule-detail-idm45662294734208"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Auto Configuration on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf unknownCCE-84266-6 </div><div class="panel-heading"><h3 class="panel-title">Configure Auto Configuration on All IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_all_autoconf:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84266-6">CCE-84266-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.all.autoconf</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.autoconf=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.all.autoconf = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit router advertisement message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.autoconf static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_autoconf:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84266-6: Set net.ipv6.conf.all.autoconf = 0 in /etc/sysctl.conf >net.ipv6.conf.all.autoconf = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.autoconf static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_autoconf:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84266-6: Set net.ipv6.conf.all.autoconf = 0 in /etc/sysctl.conf >net.ipv6.conf.all.autoconf = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.autoconf static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_autoconf:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_autoconf:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.autoconf[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.autoconf static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_autoconf:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_autoconf:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.autoconf[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.autoconf set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_autoconf:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.autoconf</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr" id="rule-detail-idm45662294729344"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr unknownCCE-84268-2 </div><div class="panel-heading"><h3 class="panel-title">Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_default_accept_ra_defrtr:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84268-2">CCE-84268-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.default.accept_ra_defrtr</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_ra_defrtr=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.default.accept_ra_defrtr = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit router advertisement message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_defrtr static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_ra_defrtr:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84268-2: Set net.ipv6.conf.default.accept_ra_defrtr = 0 in /etc/sysctl.conf >net.ipv6.conf.default.accept_ra_defrtr = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_defrtr static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_ra_defrtr:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84268-2: Set net.ipv6.conf.default.accept_ra_defrtr = 0 in /etc/sysctl.conf >net.ipv6.conf.default.accept_ra_defrtr = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_defrtr static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_ra_defrtr:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_ra_defrtr:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_defrtr static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra_defrtr:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra_defrtr:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.default.accept_ra_defrtr set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_ra_defrtr:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.default.accept_ra_defrtr</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses" id="rule-detail-idm45662294724432"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses unknownCCE-84259-1 </div><div class="panel-heading"><h3 class="panel-title">Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_all_max_addresses:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84259-1">CCE-84259-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.all.max_addresses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.max_addresses=1</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.all.max_addresses = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.max_addresses static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_max_addresses:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84259-1: Set net.ipv6.conf.all.max_addresses = 1 in /etc/sysctl.conf >net.ipv6.conf.all.max_addresses = 1 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.max_addresses static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_max_addresses:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84259-1: Set net.ipv6.conf.all.max_addresses = 1 in /etc/sysctl.conf >net.ipv6.conf.all.max_addresses = 1 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.max_addresses static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_max_addresses:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_max_addresses:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.max_addresses[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.max_addresses static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_max_addresses:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_max_addresses:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.max_addresses[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.max_addresses set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_max_addresses:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.max_addresses</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo" id="rule-detail-idm45662294719536"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo unknownCCE-84051-2 </div><div class="panel-heading"><h3 class="panel-title">Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84051-2">CCE-84051-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.default.accept_ra_pinfo</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_ra_pinfo=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.default.accept_ra_pinfo = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit router advertisement message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_pinfo static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_ra_pinfo:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84051-2: Set net.ipv6.conf.default.accept_ra_pinfo = 0 in /etc/sysctl.conf >net.ipv6.conf.default.accept_ra_pinfo = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_pinfo static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_ra_pinfo:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84051-2: Set net.ipv6.conf.default.accept_ra_pinfo = 0 in /etc/sysctl.conf >net.ipv6.conf.default.accept_ra_pinfo = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_pinfo static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_ra_pinfo:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_ra_pinfo:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_pinfo static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra_pinfo:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra_pinfo:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.default.accept_ra_pinfo set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_ra_pinfo:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.default.accept_ra_pinfo</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" id="rule-detail-idm45662294714624"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref unknownCCE-84291-4 </div><div class="panel-heading"><h3 class="panel-title">Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_default_accept_ra_rtr_pref:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84291-4">CCE-84291-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.default.accept_ra_rtr_pref</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_ra_rtr_pref=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.default.accept_ra_rtr_pref = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit router advertisement message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_rtr_pref static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84291-4: Set net.ipv6.conf.default.accept_ra_rtr_pref = 0 in /etc/sysctl.conf >net.ipv6.conf.default.accept_ra_rtr_pref = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_rtr_pref static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_ra_rtr_pref:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84291-4: Set net.ipv6.conf.default.accept_ra_rtr_pref = 0 in /etc/sysctl.conf >net.ipv6.conf.default.accept_ra_rtr_pref = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_rtr_pref static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_ra_rtr_pref:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_ra_rtr_pref:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_rtr_pref static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra_rtr_pref:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra_rtr_pref:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.default.accept_ra_rtr_pref set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_ra_rtr_pref:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.default.accept_ra_rtr_pref</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" id="rule-detail-idm45662294709696"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Accepting ICMP Redirects for All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects mediumCCE-81009-3 </div><div class="panel-heading"><h3 class="panel-title">Disable Accepting ICMP Redirects for All IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81009-3">CCE-81009-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.3.2</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040280</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230544r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.all.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.all.accept_redirects = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit ICMP redirect message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_redirects static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-81009-3: Set net.ipv6.conf.all.accept_redirects = 0 in /etc/sysctl.conf >net.ipv6.conf.all.accept_redirects = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-81009-3: Set net.ipv6.conf.all.accept_redirects = 0 in /etc/sysctl.conf >net.ipv6.conf.all.accept_redirects = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_redirects:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_redirects:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_redirects:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_redirects:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_redirects:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.accept_redirects</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations" id="rule-detail-idm45662294702080"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Denying Router Solicitations on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations unknownCCE-84109-8 </div><div class="panel-heading"><h3 class="panel-title">Configure Denying Router Solicitations on All IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_all_router_solicitations:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84109-8">CCE-84109-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.all.router_solicitations</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.router_solicitations=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.all.router_solicitations = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">To prevent discovery of the system by other systems, router solicitation requests should be denied.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.router_solicitations static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_router_solicitations:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84109-8: Set net.ipv6.conf.all.router_solicitations = 0 in /etc/sysctl.conf >net.ipv6.conf.all.router_solicitations = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.router_solicitations static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_router_solicitations:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84109-8: Set net.ipv6.conf.all.router_solicitations = 0 in /etc/sysctl.conf >net.ipv6.conf.all.router_solicitations = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.router_solicitations static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_router_solicitations:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_router_solicitations:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.router_solicitations static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_router_solicitations:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_router_solicitations:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.router_solicitations set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_router_solicitations:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.router_solicitations</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr" id="rule-detail-idm45662294697168"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Accepting Default Router in Router Advertisements on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr unknownCCE-84272-4 </div><div class="panel-heading"><h3 class="panel-title">Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84272-4">CCE-84272-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.all.accept_ra_defrtr</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_ra_defrtr=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.all.accept_ra_defrtr = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit router advertisement message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_defrtr static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_ra_defrtr:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84272-4: Set net.ipv6.conf.all.accept_ra_defrtr = 0 in /etc/sysctl.conf >net.ipv6.conf.all.accept_ra_defrtr = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_defrtr static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_ra_defrtr:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84272-4: Set net.ipv6.conf.all.accept_ra_defrtr = 0 in /etc/sysctl.conf >net.ipv6.conf.all.accept_ra_defrtr = 0 > ></td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_defrtr static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_ra_defrtr:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_ra_defrtr:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_defrtr static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra_defrtr:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra_defrtr:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.accept_ra_defrtr set to the appropriate value</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_ra_defrtr:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.accept_ra_defrtr</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_logrotate_activated" id="rule-detail-idm45662294650352"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Logrotate Runs Periodicallyxccdf_org.ssgproject.content_rule_ensure_logrotate_activated mediumCCE-80794-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure Logrotate Runs Periodically</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_logrotate_activated</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_logrotate_activated:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80794-1">CCE-80794-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT12(R18)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.3</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.7</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>logrotate</code> utility allows for the automatic rotation of >log files. The frequency of rotation is specified in <code>/etc/logrotate.conf</code>, >which triggers a cron task. To configure logrotate to run daily, add or correct >the following line in <code>/etc/logrotate.conf</code>: ><pre># rotate log files <i>frequency</i> >daily</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Log files that are not properly rotated run the risk of growing so large >that they fill up the /var/log partition. Valuable logging information could be lost >if the /var/log partition becomes full.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Tests the presence of daily setting in /etc/logrotate.conf file</span>Â > <span class="label label-default">oval:ssg-test_logrotate_conf_daily_setting:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/logrotate.conf</td><td>daily ></td></tr></tbody></table><h4><span class="label label-primary">Test if there is no weekly/monthly/yearly keyword</span>Â > <span class="label label-default">oval:ssg-test_logrotate_conf_no_other_keyword:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_logrotate_conf_no_other_keyword:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/logrotate.conf</td><td>^\s*(weekly|monthly|yearly)[\s#]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Tests the existence of /etc/cron.daily/logrotate file (and verify it actually calls logrotate utility)</span>Â > <span class="label label-default">oval:ssg-test_cron_daily_logrotate_existence:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/cron.daily/logrotate</td><td> >/usr/sbin/logrotate /etc/logrotate.conf</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" id="rule-detail-idm45662294646352"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Logs Sent To Remote Hostxccdf_org.ssgproject.content_rule_rsyslog_remote_loghost mediumCCE-80863-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure Logs Sent To Remote Host</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_remote_loghost:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80863-4">CCE-80863-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R7)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R43)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT12(R5)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.2.1.5</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001348</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000136</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(6)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(8)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(a)(2)(i)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(a)(2)(iii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(2)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-030690</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230479r627750_rule</a>, <a href="">SRG-OS-000032-VMM-000130</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure rsyslog to send logs to a remote log server, >open <code>/etc/rsyslog.conf</code> and read and understand the last section of the file, >which describes the multiple directives necessary to activate remote >logging. >Along with these other directives, the system can be configured >to forward its logs to a particular log server by >adding or correcting one of the following lines, >substituting <code><i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr></i></code> appropriately. >The choice of protocol depends on the environment of the system; >although TCP and RELP provide more reliable message delivery, >they may not be supported in all environments. ><br> >To use UDP for log message delivery: ><pre>*.* @<i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr></i></pre> ><br> >To use TCP for log message delivery: ><pre>*.* @@<i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr></i></pre> ><br> >To use RELP for log message delivery: ><pre>*.* :omrelp:<i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr></i></pre> ><br> >There must be a resolvable DNS CNAME or Alias record set to "<abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr>" for logs to be sent correctly to the centralized logging utility.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">A log server (loghost) receives syslog messages from one or more >systems. This data can be used as an additional log source in the event a >system is compromised and its local logs are suspect. Forwarding log messages >to a remote loghost also provides system administrators with a centralized >place to view the status of multiple hosts within the enterprise.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Ensures system configured to export logs to remote host</span>Â > <span class="label label-default">oval:ssg-test_remote_rsyslog_conf:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/rsyslog.conf</td><td>*.* @</td></tr></tbody></table><h4><span class="label label-primary">Ensures system configured to export logs to remote host</span>Â > <span class="label label-default">oval:ssg-test_remote_rsyslog_d:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_remote_loghost_rsyslog_d:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/rsyslog.d</td><td>.*</td><td>^\*\.\*[\s]+(?:@|\:omrelp\:)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_tls" id="rule-detail-idm45662294642368"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure TLS for rsyslog remote loggingxccdf_org.ssgproject.content_rule_rsyslog_remote_tls mediumCCE-82457-3 </div><div class="panel-heading"><h3 class="panel-title">Configure TLS for rsyslog remote logging</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_remote_tls</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_remote_tls:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82457-3">CCE-82457-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_TLSC_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</a></p></td></tr><tr><td>Description</td><td><div class="description">Configure <code>rsyslog</code> to use Transport Layer >Security (TLS) support for logging to remote server >for the Forwarding Output Module in <code>/etc/rsyslog.conf</code> >using action. You can use the following command: ><pre>echo 'action(type="omfwd" protocol="tcp" Target="<remote system>" port="6514" > StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" streamdriver.CheckExtendedKeyPurpose="on")' >> /etc/rsyslog.conf ></pre> >Replace the <code><remote system></code> in the above command with an IP address or a host name of the remote logging server.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">For protection of data being logged, the connection to the >remote logging server needs to be authenticated and encrypted.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the omfwd action configuration</span>Â > <span class="label label-default">oval:ssg-test_rsyslog_remote_tls:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rsyslog_remote_tls:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>no value</td><td>^/etc/rsyslog\.(conf|d/.+\.conf)$</td><td>^\s*action\((?i)type(?-i)="omfwd"(.+?)\)</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert" id="rule-detail-idm45662294638400"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure CA certificate for rsyslog remote loggingxccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert mediumCCE-82458-1 </div><div class="panel-heading"><h3 class="panel-title">Configure CA certificate for rsyslog remote logging</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_remote_tls_cacert:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82458-1">CCE-82458-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_TLSC_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">Configure CA certificate for <code>rsyslog</code> logging >to remote server using Transport Layer Security (TLS) >using correct path for the <code>DefaultNetstreamDriverCAFile</code> >global option in <code>/etc/rsyslog.conf</code>, for example with the following command: ><pre>echo 'global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem")' >> /etc/rsyslog.conf</pre> >Replace the <code>/etc/pki/tls/cert.pem</code> in the above command with the path to the file with CA certificate generated for the purpose of remote logging.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The CA certificate needs to be set or <code>rsyslog.service</code> >fails to start with ><pre>error: ca certificate is not set, cannot continue</pre></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the DefaultNetstreamDriverCAFile configuration</span>Â > <span class="label label-default">oval:ssg-test_rsyslog_remote_tls_cacert:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rsyslog_remote_tls_cacert:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/rsyslog\.(conf|d/.+\.conf)$</td><td>^\s*global\(DefaultNetstreamDriverCAFile="(.+?)"\)\s*\n</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" id="rule-detail-idm45662294616640"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Log Files Are Owned By Appropriate Groupxccdf_org.ssgproject.content_rule_rsyslog_files_groupownership mediumCCE-80860-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure Log Files Are Owned By Appropriate Group</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_files_groupownership:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80860-0">CCE-80860-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001314</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a></p></td></tr><tr><td>Description</td><td><div class="description">The group-owner of all log files written by ><code>rsyslog</code> should be <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_file_groupowner_logfiles_value">root</abbr></code>. >These log files are determined by the second part of each Rule line in ><code>/etc/rsyslog.conf</code> and typically all appear in <code>/var/log</code>. >For each log file <i>LOGFILE</i> referenced in <code>/etc/rsyslog.conf</code>, >run the following command to inspect the file's group owner: ><pre>$ ls -l <i>LOGFILE</i></pre> >If the owner is not <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_file_groupowner_logfiles_value">root</abbr></code>, run the following command to >correct this: ><pre>$ sudo chgrp <abbr title="from TestResult: xccdf_org.ssgproject.content_value_file_groupowner_logfiles_value">root</abbr> <i>LOGFILE</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The log files generated by rsyslog contain valuable information regarding system >configuration, user authentication, and other such information. Log files should be >protected from unauthorized access.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">System log files are owned by the appropriate group</span>Â > <span class="label label-default">oval:ssg-test_rsyslog_files_groupownership:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/var/log/maillog</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/messages</td><td>regular</td><td>0</td><td>0</td><td>312093</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/cron</td><td>regular</td><td>0</td><td>0</td><td>967</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/boot.log</td><td>regular</td><td>0</td><td>0</td><td>7596</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/spooler</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/secure</td><td>regular</td><td>0</td><td>0</td><td>2482</td><td><code>rw-------Â </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" id="rule-detail-idm45662294612640"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Log Files Are Owned By Appropriate Userxccdf_org.ssgproject.content_rule_rsyslog_files_ownership mediumCCE-80861-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure Log Files Are Owned By Appropriate User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_files_ownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_files_ownership:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80861-8">CCE-80861-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001314</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a></p></td></tr><tr><td>Description</td><td><div class="description">The owner of all log files written by ><code>rsyslog</code> should be <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_file_owner_logfiles_value">root</abbr></code>. >These log files are determined by the second part of each Rule line in ><code>/etc/rsyslog.conf</code> and typically all appear in <code>/var/log</code>. >For each log file <i>LOGFILE</i> referenced in <code>/etc/rsyslog.conf</code>, >run the following command to inspect the file's owner: ><pre>$ ls -l <i>LOGFILE</i></pre> >If the owner is not <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_file_owner_logfiles_value">root</abbr></code>, run the following command to >correct this: ><pre>$ sudo chown <abbr title="from TestResult: xccdf_org.ssgproject.content_value_file_owner_logfiles_value">root</abbr> <i>LOGFILE</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The log files generated by rsyslog contain valuable information regarding system >configuration, user authentication, and other such information. Log files should be >protected from unauthorized access.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">System log files are owned by the appropriate user</span>Â > <span class="label label-default">oval:ssg-test_rsyslog_files_ownership:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/var/log/maillog</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/messages</td><td>regular</td><td>0</td><td>0</td><td>312093</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/cron</td><td>regular</td><td>0</td><td>0</td><td>967</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/boot.log</td><td>regular</td><td>0</td><td>0</td><td>7596</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/spooler</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/secure</td><td>regular</td><td>0</td><td>0</td><td>2482</td><td><code>rw-------Â </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_files_permissions" id="rule-detail-idm45662294608656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure System Log Files Have Correct Permissionsxccdf_org.ssgproject.content_rule_rsyslog_files_permissions mediumCCE-80862-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure System Log Files Have Correct Permissions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_files_permissions</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_files_permissions:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80862-6">CCE-80862-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.2.1.3</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001314</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a></p></td></tr><tr><td>Description</td><td><div class="description">The file permissions for all log files written by <code>rsyslog</code> should >be set to 600, or more restrictive. These log files are determined by the >second part of each Rule line in <code>/etc/rsyslog.conf</code> and typically >all appear in <code>/var/log</code>. For each log file <i>LOGFILE</i> >referenced in <code>/etc/rsyslog.conf</code>, run the following command to >inspect the file's permissions: ><pre>$ ls -l <i>LOGFILE</i></pre> >If the permissions are not 600 or more restrictive, run the following >command to correct this: ><pre>$ sudo chmod 0600 <i>LOGFILE</i></pre>"</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Log files can contain valuable information regarding system >configuration. If the system log files are not protected unauthorized >users could change the logged data, eliminating their forensic value.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Permissions of system log files are correct</span>Â > <span class="label label-default">oval:ssg-test_rsyslog_files_permissions:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/var/log/maillog</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/messages</td><td>regular</td><td>0</td><td>0</td><td>312093</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/cron</td><td>regular</td><td>0</td><td>0</td><td>967</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/boot.log</td><td>regular</td><td>0</td><td>0</td><td>7596</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/spooler</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/secure</td><td>regular</td><td>0</td><td>0</td><td>2482</td><td><code>rw-------Â </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed" id="rule-detail-idm45662294664400"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure rsyslog-gnutls is installedxccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed mediumCCE-82859-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure rsyslog-gnutls is installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_rsyslog-gnutls_installed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82859-0">CCE-82859-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-030680</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230478r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">TLS protocol support for rsyslog is installed. >The <code>rsyslog-gnutls</code> package can be installed with the following command: ><pre> >$ sudo yum install rsyslog-gnutls</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The rsyslog-gnutls package provides Transport Layer Security (TLS) support >for the rsyslog daemon, which enables secure remote logging.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsyslog-gnutls is installed</span>Â > <span class="label label-default">oval:ssg-test_package_rsyslog-gnutls_installed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>rsyslog-gnutls</td><td>x86_64</td><td>(none)</td><td>7.el8_4.2</td><td>8.1911.0</td><td>0:8.1911.0-7.el8_4.2</td><td>199e2f91fd431d51</td><td>rsyslog-gnutls-0:8.1911.0-7.el8_4.2.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsyslog_installed" id="rule-detail-idm45662294660400"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure rsyslog is Installedxccdf_org.ssgproject.content_rule_package_rsyslog_installed mediumCCE-80847-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure rsyslog is Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsyslog_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_rsyslog_installed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80847-7">CCE-80847-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.2.1.1</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-030670</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230477r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">Rsyslog is installed by default. The <code>rsyslog</code> package can be installed with the following command: <pre> $ sudo yum install rsyslog</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The rsyslog package provides the rsyslog daemon, which provides >system logging services.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsyslog is installed</span>Â > <span class="label label-default">oval:ssg-test_package_rsyslog_installed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>rsyslog</td><td>x86_64</td><td>(none)</td><td>7.el8_4.2</td><td>8.1911.0</td><td>0:8.1911.0-7.el8_4.2</td><td>199e2f91fd431d51</td><td>rsyslog-0:8.1911.0-7.el8_4.2.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="rule-detail-idm45662294656400"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable rsyslog Servicexccdf_org.ssgproject.content_rule_service_rsyslog_enabled mediumCCE-80886-5 </div><div class="panel-heading"><h3 class="panel-title">Enable rsyslog Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_rsyslog_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_rsyslog_enabled:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80886-5">CCE-80886-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.2.1.2</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.2.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010561</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230298r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>rsyslog</code> service provides syslog-style logging by default on Red Hat Enterprise Linux 8. > >The <code>rsyslog</code> service can be enabled with the following command: ><pre>$ sudo systemctl enable rsyslog.service</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>rsyslog</code> service must be running in order to provide >logging services, which are essential to system administration.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsyslog is installed</span>Â > <span class="label label-default">oval:ssg-test_service_rsyslog_package_rsyslog_installed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>rsyslog</td><td>x86_64</td><td>(none)</td><td>7.el8_4.2</td><td>8.1911.0</td><td>0:8.1911.0-7.el8_4.2</td><td>199e2f91fd431d51</td><td>rsyslog-0:8.1911.0-7.el8_4.2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Test that the rsyslog service is running</span>Â > <span class="label label-default">oval:ssg-test_service_running_rsyslog:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>rsyslog.service</td><td>ActiveState</td><td>active</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â > <span class="label label-default">oval:ssg-test_multi_user_wants_rsyslog:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var-tmp.mount</td><td>var.mount</td><td>sysinit.target</td><td>plymouth-read-write.service</td><td>lvm2-monitor.service</td><td>cryptsetup.target</td><td>systemd-hwdb-update.service</td><td>sys-kernel-debug.mount</td><td>local-fs.target</td><td>-.mount</td><td>srv.mount</td><td>opt.mount</td><td>home.mount</td><td>var-log.mount</td><td>tmp.mount</td><td>var-log-audit.mount</td><td>usr.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>ostree-remount.service</td><td>lvm2-lvmpolld.socket</td><td>systemd-journal-flush.service</td><td>nis-domainname.service</td><td>iscsi-onboot.service</td><td>ldconfig.service</td><td>systemd-udevd.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-utmp.service</td><td>systemd-random-seed.service</td><td>plymouth-start.service</td><td>dev-mqueue.mount</td><td>systemd-tmpfiles-setup.service</td><td>systemd-update-done.service</td><td>systemd-sysctl.service</td><td>systemd-modules-load.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-binfmt.service</td><td>selinux-autorelabel-mark.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>dev-hugepages.mount</td><td>systemd-udev-trigger.service</td><td>systemd-machine-id-commit.service</td><td>systemd-sysusers.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>sys-kernel-config.mount</td><td>loadmodules.service</td><td>swap.target</td><td>dev-mapper-rhel\x2dswap.swap</td><td>kmod-static-nodes.service</td><td>multipathd.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-journald.service</td><td>dracut-shutdown.service</td><td>paths.target</td><td>timers.target</td><td>dnf-makecache.timer</td><td>dnf-automatic.timer</td><td>mlocate-updatedb.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-journald.socket</td><td>avahi-daemon.socket</td><td>systemd-journald-dev-log.socket</td><td>dm-event.socket</td><td>libvirtd-ro.socket</td><td>dbus.socket</td><td>libvirtd.socket</td><td>virtlogd.socket</td><td>virtlockd.socket</td><td>systemd-coredump.socket</td><td>iscsiuio.socket</td><td>systemd-udevd-kernel.socket</td><td>multipathd.socket</td><td>systemd-initctl.socket</td><td>iscsid.socket</td><td>cups.socket</td><td>systemd-udevd-control.socket</td><td>rpcbind.socket</td><td>sssd-kcm.socket</td><td>microcode.service</td><td>mdmonitor.service</td><td>smartd.service</td><td>sssd.service</td><td>plymouth-quit-wait.service</td><td>auditd.service</td><td>nfs-client.target</td><td>auth-rpcgss-module.service</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>getty@tty1.service</td><td>vdo.service</td><td>plymouth-quit.service</td><td>mcelog.service</td><td>systemd-ask-password-wall.path</td><td>ksm.service</td><td>tuned.service</td><td>rpcbind.service</td><td>rsyslog.service</td><td>ModemManager.service</td><td>chronyd.service</td><td>systemd-logind.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>NetworkManager.service</td><td>libstoragemgmt.service</td><td>vmtoolsd.service</td><td>sshd.service</td><td>ksmtuned.service</td><td>firewalld.service</td><td>irqbalance.service</td><td>cups.service</td><td>systemd-user-sessions.service</td><td>rhsmcertd.service</td><td>avahi-daemon.service</td><td>dbus.service</td><td>kdump.service</td><td>libvirtd.service</td><td>cups.path</td><td>remote-fs.target</td><td>iscsi.service</td><td>var-lib-machines.mount</td><td>atd.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â > <span class="label label-default">oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var-tmp.mount</td><td>var.mount</td><td>sysinit.target</td><td>plymouth-read-write.service</td><td>lvm2-monitor.service</td><td>cryptsetup.target</td><td>systemd-hwdb-update.service</td><td>sys-kernel-debug.mount</td><td>local-fs.target</td><td>-.mount</td><td>srv.mount</td><td>opt.mount</td><td>home.mount</td><td>var-log.mount</td><td>tmp.mount</td><td>var-log-audit.mount</td><td>usr.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>ostree-remount.service</td><td>lvm2-lvmpolld.socket</td><td>systemd-journal-flush.service</td><td>nis-domainname.service</td><td>iscsi-onboot.service</td><td>ldconfig.service</td><td>systemd-udevd.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-utmp.service</td><td>systemd-random-seed.service</td><td>plymouth-start.service</td><td>dev-mqueue.mount</td><td>systemd-tmpfiles-setup.service</td><td>systemd-update-done.service</td><td>systemd-sysctl.service</td><td>systemd-modules-load.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-binfmt.service</td><td>selinux-autorelabel-mark.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>dev-hugepages.mount</td><td>systemd-udev-trigger.service</td><td>systemd-machine-id-commit.service</td><td>systemd-sysusers.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>sys-kernel-config.mount</td><td>loadmodules.service</td><td>swap.target</td><td>dev-mapper-rhel\x2dswap.swap</td><td>kmod-static-nodes.service</td><td>multipathd.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-journald.service</td><td>dracut-shutdown.service</td><td>paths.target</td><td>timers.target</td><td>dnf-makecache.timer</td><td>dnf-automatic.timer</td><td>mlocate-updatedb.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-journald.socket</td><td>avahi-daemon.socket</td><td>systemd-journald-dev-log.socket</td><td>dm-event.socket</td><td>libvirtd-ro.socket</td><td>dbus.socket</td><td>libvirtd.socket</td><td>virtlogd.socket</td><td>virtlockd.socket</td><td>systemd-coredump.socket</td><td>iscsiuio.socket</td><td>systemd-udevd-kernel.socket</td><td>multipathd.socket</td><td>systemd-initctl.socket</td><td>iscsid.socket</td><td>cups.socket</td><td>systemd-udevd-control.socket</td><td>rpcbind.socket</td><td>sssd-kcm.socket</td><td>microcode.service</td><td>mdmonitor.service</td><td>smartd.service</td><td>sssd.service</td><td>plymouth-quit-wait.service</td><td>auditd.service</td><td>nfs-client.target</td><td>auth-rpcgss-module.service</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>getty@tty1.service</td><td>vdo.service</td><td>plymouth-quit.service</td><td>mcelog.service</td><td>systemd-ask-password-wall.path</td><td>ksm.service</td><td>tuned.service</td><td>rpcbind.service</td><td>rsyslog.service</td><td>ModemManager.service</td><td>chronyd.service</td><td>systemd-logind.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>NetworkManager.service</td><td>libstoragemgmt.service</td><td>vmtoolsd.service</td><td>sshd.service</td><td>ksmtuned.service</td><td>firewalld.service</td><td>irqbalance.service</td><td>cups.service</td><td>systemd-user-sessions.service</td><td>rhsmcertd.service</td><td>avahi-daemon.service</td><td>dbus.service</td><td>kdump.service</td><td>libvirtd.service</td><td>cups.path</td><td>remote-fs.target</td><td>iscsi.service</td><td>var-lib-machines.mount</td><td>atd.service</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow" id="rule-detail-idm45662294556272"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Permissions on gshadow Filexccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow mediumCCE-80811-3 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on gshadow File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_etc_gshadow:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80811-3">CCE-80811-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.5</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a></p></td></tr><tr><td>Description</td><td><div class="description"> >To properly set the permissions of <code>/etc/gshadow</code>, run the command: ><pre>$ sudo chmod 0000 /etc/gshadow</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/etc/gshadow</code> file contains group password hashes. Protection of this file >is critical for system security.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Testing mode of /etc/gshadow</span>Â > <span class="label label-default">oval:ssg-test_file_permissions_etc_gshadow:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/etc/gshadow">oval:ssg-object_file_permissions_etc_gshadow:obj:1</abbr></strong> of type > <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Filter</th></tr></thead><tbody><tr><td>/etc/gshadow</td><td>oval:ssg-state_file_permissions_etc_gshadow_mode_not_0000:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_group" id="rule-detail-idm45662294549568"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Permissions on group Filexccdf_org.ssgproject.content_rule_file_permissions_etc_group mediumCCE-80810-5 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on group File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_etc_group</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_etc_group:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80810-5">CCE-80810-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.4</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a></p></td></tr><tr><td>Description</td><td><div class="description"> >To properly set the permissions of <code>/etc/passwd</code>, run the command: ><pre>$ sudo chmod 0644 /etc/passwd</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/etc/group</code> file contains information regarding groups that are configured >on the system. Protection of this file is important for system security.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Testing mode of /etc/group</span>Â > <span class="label label-default">oval:ssg-test_file_permissions_etc_group:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/etc/group">oval:ssg-object_file_permissions_etc_group:obj:1</abbr></strong> of type > <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Filter</th></tr></thead><tbody><tr><td>/etc/group</td><td>oval:ssg-state_file_permissions_etc_group_mode_not_0644:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow" id="rule-detail-idm45662294542864"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Permissions on shadow Filexccdf_org.ssgproject.content_rule_file_permissions_etc_shadow mediumCCE-80813-9 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on shadow File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_etc_shadow:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80813-9">CCE-80813-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.3</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a></p></td></tr><tr><td>Description</td><td><div class="description"> >To properly set the permissions of <code>/etc/shadow</code>, run the command: ><pre>$ sudo chmod 0000 /etc/shadow</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/etc/shadow</code> file contains the list of local >system accounts and stores password hashes. Protection of this file is >critical for system security. Failure to give ownership of this file >to root provides the designated owner with access to sensitive information >which could weaken the system security posture.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Testing mode of /etc/shadow</span>Â > <span class="label label-default">oval:ssg-test_file_permissions_etc_shadow:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/etc/shadow">oval:ssg-object_file_permissions_etc_shadow:obj:1</abbr></strong> of type > <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Filter</th></tr></thead><tbody><tr><td>/etc/shadow</td><td>oval:ssg-state_file_permissions_etc_shadow_mode_not_0000:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow" id="rule-detail-idm45662294536160"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify User Who Owns gshadow Filexccdf_org.ssgproject.content_rule_file_owner_etc_gshadow mediumCCE-80802-2 </div><div class="panel-heading"><h3 class="panel-title">Verify User Who Owns gshadow File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_owner_etc_gshadow:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80802-2">CCE-80802-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.5</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a></p></td></tr><tr><td>Description</td><td><div class="description"> To properly set the owner of <code>/etc/gshadow</code>, run the command: <pre>$ sudo chown root /etc/gshadow </pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/etc/gshadow</code> file contains group password hashes. Protection of this file >is critical for system security.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Testing user ownership of /etc/gshadow</span>Â > <span class="label label-default">oval:ssg-test_file_owner_etc_gshadow:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/etc/gshadow</td><td>regular</td><td>0</td><td>0</td><td>771</td><td><code>---------Â </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_owner_etc_shadow" id="rule-detail-idm45662294513248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify User Who Owns shadow Filexccdf_org.ssgproject.content_rule_file_owner_etc_shadow mediumCCE-80804-8 </div><div class="panel-heading"><h3 class="panel-title">Verify User Who Owns shadow File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_owner_etc_shadow</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_owner_etc_shadow:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80804-8">CCE-80804-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.3</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a></p></td></tr><tr><td>Description</td><td><div class="description"> To properly set the owner of <code>/etc/shadow</code>, run the command: <pre>$ sudo chown root /etc/shadow </pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/etc/shadow</code> file contains the list of local >system accounts and stores password hashes. Protection of this file is >critical for system security. Failure to give ownership of this file >to root provides the designated owner with access to sensitive information >which could weaken the system security posture.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Testing user ownership of /etc/shadow</span>Â > <span class="label label-default">oval:ssg-test_file_owner_etc_shadow:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/etc/shadow</td><td>regular</td><td>0</td><td>0</td><td>1309</td><td><code>---------Â </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd" id="rule-detail-idm45662294498464"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Permissions on passwd Filexccdf_org.ssgproject.content_rule_file_permissions_etc_passwd mediumCCE-80812-1 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on passwd File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_etc_passwd:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80812-1">CCE-80812-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.2</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a></p></td></tr><tr><td>Description</td><td><div class="description"> >To properly set the permissions of <code>/etc/passwd</code>, run the command: ><pre>$ sudo chmod 0644 /etc/passwd</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">If the <code>/etc/passwd</code> file is writable by a group-owner or the >world the risk of its compromise is increased. The file contains the list of >accounts on the system and associated information, and protection of this file >is critical for system security.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Testing mode of /etc/passwd</span>Â > <span class="label label-default">oval:ssg-test_file_permissions_etc_passwd:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/etc/passwd">oval:ssg-object_file_permissions_etc_passwd:obj:1</abbr></strong> of type > <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Filter</th></tr></thead><tbody><tr><td>/etc/passwd</td><td>oval:ssg-state_file_permissions_etc_passwd_mode_not_0644:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks" id="rule-detail-idm45662294604656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Enforce DAC on Symlinksxccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks mediumCCE-81030-9 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Enforce DAC on Symlinks</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_fs_protected_symlinks:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81030-9">CCE-81030-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002165</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010373</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230267r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>fs.protected_symlinks</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protected_symlinks=1</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>fs.protected_symlinks = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">By enabling this kernel parameter, symbolic links are permitted to be followed >only when outside a sticky world-writable directory, or when the UID of the >link and follower match, or when the directory owner matches the symlink's owner. >Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system >accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of ><code>open()</code> or <code>creat()</code>.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">fs.protected_symlinks static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_fs_protected_symlinks:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_fs_protected_symlinks:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_fs_protected_symlinks:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_fs_protected_symlinks:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_fs_protected_symlinks:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_fs_protected_symlinks:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_fs_protected_symlinks:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d/50-default.conf</td><td>fs.protected_symlinks = 1 ></td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter fs.protected_symlinks set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_fs_protected_symlinks:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>fs.protected_symlinks</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned" id="rule-detail-idm45662294595248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure All World-Writable Directories Are Owned by root userxccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned mediumCCE-83375-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure All World-Writable Directories Are Owned by root user</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-dir_perms_world_writable_root_owned:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:03:27+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83375-6">CCE-83375-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R40)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010700</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230318r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">All directories in local partitions which are world-writable should be owned >by root. If any world-writable directories are not owned by root, this >should be investigated. Following this, the files should be deleted or >assigned to root user.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Allowing a user account to own a world-writable directory is >undesirable because it allows the owner of that directory to remove >or replace any files that may be placed in the directory by other >users.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45662614409376" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm45662614409376"><pre><code>#!/bin/bash > >find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -not -fstype fuse.sshfs -type d -perm -0002 -uid +0 -exec chown root {} \; ></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45662614407984" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm45662614407984"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Configure excluded (non local) file systems > set_fact: > excluded_fstypes: > - afs > - ceph > - cifs > - smb3 > - smbfs > - sshfs > - ncpfs > - ncp > - nfs > - nfs4 > - gfs > - gfs2 > - glusterfs > - gpfs > - pvfs2 > - ocfs2 > - lustre > - davfs > - fuse.sshfs > tags: > - CCE-83375-6 > - DISA-STIG-RHEL-08-010700 > - dir_perms_world_writable_root_owned > - low_complexity > - medium_disruption > - medium_severity > - no_reboot_needed > - restrict_strategy > >- name: Create empty list of excluded paths > set_fact: > excluded_paths: [] > tags: > - CCE-83375-6 > - DISA-STIG-RHEL-08-010700 > - dir_perms_world_writable_root_owned > - low_complexity > - medium_disruption > - medium_severity > - no_reboot_needed > - restrict_strategy > >- name: Detect nonlocal file systems and add them to excluded paths > set_fact: > excluded_paths: '{{ excluded_paths | union([item.mount]) }}' > loop: '{{ ansible_mounts }}' > when: item.fstype in excluded_fstypes > tags: > - CCE-83375-6 > - DISA-STIG-RHEL-08-010700 > - dir_perms_world_writable_root_owned > - low_complexity > - medium_disruption > - medium_severity > - no_reboot_needed > - restrict_strategy > >- name: Find all directories excluding non-local partitions > find: > paths: / > excludes: excluded_paths > file_type: directory > hidden: true > recurse: true > register: found_dirs > tags: > - CCE-83375-6 > - DISA-STIG-RHEL-08-010700 > - dir_perms_world_writable_root_owned > - low_complexity > - medium_disruption > - medium_severity > - no_reboot_needed > - restrict_strategy > >- name: Create list of world writable directories > set_fact: > world_writable_dirs: '{{ found_dirs.files | selectattr(''woth'') | list }}' > tags: > - CCE-83375-6 > - DISA-STIG-RHEL-08-010700 > - dir_perms_world_writable_root_owned > - low_complexity > - medium_disruption > - medium_severity > - no_reboot_needed > - restrict_strategy > >- name: Change owner to root on directories which are world writable > file: > path: '{{ item.path }}' > owner: root > loop: '{{ world_writable_dirs }}' > ignore_errors: true > tags: > - CCE-83375-6 > - DISA-STIG-RHEL-08-010700 > - dir_perms_world_writable_root_owned > - low_complexity > - medium_disruption > - medium_severity > - no_reboot_needed > - restrict_strategy ></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check for local directories that are world writable and have uid greater than 0</span>Â > <span class="label label-default">oval:ssg-test_dir_world_writable_uid_gt_zero:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/tmp/tmp-inst/system_u:object_r:tmp_t:s0-s0:c0.c1023_test/.ICE-unix/</td><td>directory</td><td>1000</td><td>1000</td><td>18</td><td><code>rwxrwxrwxt</code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks" id="rule-detail-idm45662294591248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Enforce DAC on Hardlinksxccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks mediumCCE-81027-5 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Enforce DAC on Hardlinks</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_fs_protected_hardlinks:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:03:27+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81027-5">CCE-81027-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002165</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010374</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230268r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>fs.protected_hardlinks</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protected_hardlinks=1</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>fs.protected_hardlinks = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">By enabling this kernel parameter, users can no longer create soft or hard links to >files which they do not own. Disallowing such hardlinks mitigate vulnerabilities >based on insecure file system accessed by privileged programs, avoiding an >exploitation vector exploiting unsafe use of <code>open()</code> or <code>creat()</code>.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">fs.protected_hardlinks static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_fs_protected_hardlinks:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_fs_protected_hardlinks:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_fs_protected_hardlinks:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_fs_protected_hardlinks:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_fs_protected_hardlinks:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_fs_protected_hardlinks:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_fs_protected_hardlinks:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d/50-default.conf</td><td>fs.protected_hardlinks = 1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter fs.protected_hardlinks set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_fs_protected_hardlinks:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>fs.protected_hardlinks</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid" id="rule-detail-idm45662294587248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure All SGID Executables Are Authorizedxccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid mediumCCE-80816-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure All SGID Executables Are Authorized</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_unauthorized_sgid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:04:43+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80816-2">CCE-80816-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R37)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R38)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.14</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a></p></td></tr><tr><td>Description</td><td><div class="description">The SGID (set group id) bit should be set only on files that were >installed via authorized means. A straightforward means of identifying >unauthorized SGID files is determine if any were not installed as part of an >RPM package, which is cryptographically verified. Investigate the origin >of any unpackaged SGID files. >This configuration check considers authorized SGID files which were installed via RPM. >It is assumed that when an individual has sudo access to install an RPM >and all packages are signed with an organizationally-recognized GPG key, >the software should be considered an approved package on the system. >Any SGID file not deployed through an RPM will be flagged for further review.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Executable files with the SGID permission run with the privileges of >the owner of the file. SGID files of uncertain provenance could allow for >unprivileged users to elevate privileges. The presence of these files should be >strictly controlled on the system.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">sgid files outside system RPMs</span>Â > <span class="label label-default">oval:ssg-test_file_permissions_unauthorized_sgid:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="files with sgid set which are not owned by any RPM package">oval:ssg-obj_file_permissions_unauthorized_sgid_unowned:obj:1</abbr></strong> of type > <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/</td><td>^.*$</td><td>oval:ssg-state_file_permissions_unauthorized_sgid_sgid_set:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_sgid_filepaths:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid" id="rule-detail-idm45662294583248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure All SUID Executables Are Authorizedxccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid mediumCCE-80817-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure All SUID Executables Are Authorized</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_unauthorized_suid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:12+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80817-0">CCE-80817-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R37)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R38)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.13</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a></p></td></tr><tr><td>Description</td><td><div class="description">The SUID (set user id) bit should be set only on files that were >installed via authorized means. A straightforward means of identifying >unauthorized SUID files is determine if any were not installed as part of an >RPM package, which is cryptographically verified. Investigate the origin >of any unpackaged SUID files. >This configuration check considers authorized SUID files which were installed via RPM. >It is assumed that when an individual has sudo access to install an RPM >and all packages are signed with an organizationally-recognized GPG key, >the software should be considered an approved package on the system. >Any SUID file not deployed through an RPM will be flagged for further review.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Executable files with the SUID permission run with the privileges of >the owner of the file. SUID files of uncertain provenance could allow for >unprivileged users to elevate privileges. The presence of these files should be >strictly controlled on the system.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">suid files outside system RPMs</span>Â > <span class="label label-default">oval:ssg-test_file_permissions_unauthorized_suid:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="files with suid set which are not owned by any RPM package">oval:ssg-obj_file_permissions_unauthorized_suid_unowned:obj:1</abbr></strong> of type > <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/</td><td>^.*$</td><td>oval:ssg-state_file_permissions_unauthorized_suid_suid_set:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_suid_filepaths:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" id="rule-detail-idm45662294579248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify that All World-Writable Directories Have Sticky Bits Setxccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits mediumCCE-80783-4 </div><div class="panel-heading"><h3 class="panel-title">Verify that All World-Writable Directories Have Sticky Bits Set</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-dir_perms_world_writable_sticky_bits:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:14+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80783-4">CCE-80783-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R40)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.21</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001090</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000138-GPOS-00069</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010190</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230243r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">When the so-called 'sticky bit' is set on a directory, >only the owner of a given file may remove that file from the >directory. Without the sticky bit, any user with write access to a >directory may remove any file in the directory. Setting the sticky >bit prevents users from removing each other's files. In cases where >there is no reason for a directory to be world-writable, a better >solution is to remove that permission rather than to set the sticky >bit. However, if a directory is used by a particular application, >consult that application's documentation instead of blindly >changing modes. ><br> >To set the sticky bit on a world-writable directory <i>DIR</i>, run the >following command: ><pre>$ sudo chmod +t <i>DIR</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Failing to set the sticky bit on public directories allows unauthorized >users to delete files in the directory structure. ><br><br> >The only authorized public directories are those temporary directories >supplied with the system, or those designed to be temporary file >repositories. The setting is normally reserved for directories used by the >system, by users for temporary file storage (such as <code>/tmp</code>), and >for directories requiring global read/write access.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">all local world-writable directories have sticky bit set</span>Â > <span class="label label-default">oval:ssg-test_dir_perms_world_writable_sticky_bits:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="only local directories">oval:ssg-object_only_local_directories:obj:1</abbr></strong> of type > <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/</td><td>no value</td><td>oval:ssg-state_world_writable_and_not_sticky:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" id="rule-detail-idm45662294575248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure No World-Writable Files Existxccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable mediumCCE-80818-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure No World-Writable Files Exist</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_unauthorized_world_writable:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:30+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80818-8">CCE-80818-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R40)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.10</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a></p></td></tr><tr><td>Description</td><td><div class="description">It is generally a good idea to remove global (other) write >access to a file when it is discovered. However, check with >documentation for specific applications before making changes. >Also, monitor for recurring world-writable files, as these may be >symptoms of a misconfigured application or user account. Finally, >this applies to real files and not virtual files that are a part of >pseudo file systems such as <code>sysfs</code> or <code>procfs</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Data in world-writable files can be modified by any >user on the system. In almost all circumstances, files can be >configured using a combination of user and group permissions to >support whatever legitimate access is needed without the risk >caused by world-writable files.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">world writable files</span>Â > <span class="label label-default">oval:ssg-test_file_permissions_unauthorized_world_write:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="world writable">oval:ssg-object_file_permissions_unauthorized_world_write:obj:1</abbr></strong> of type > <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/</td><td>^.*$</td><td>oval:ssg-state_file_permissions_unauthorized_world_write:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_world_write_exclude_special_selinux_files:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_world_write_exclude_proc:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_world_write_exclude_sys:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_nosuid" id="rule-detail-idm45662294432064"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /varxccdf_org.ssgproject.content_rule_mount_option_var_nosuid unknownCCE-83383-0 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /var</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_nosuid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:31+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83383-0">CCE-83383-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nosuid</code> mount option can be used to prevent >execution of setuid programs in <code>/var</code>. The SUID and SGID permissions >should not be required for this directory. >Add the <code>nosuid</code> option to the fourth column of ><code>/etc/fstab</code> for the line which controls mounting of ><code>/var</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of SUID and SGID executables should be tightly controlled.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /var</span>Â > <span class="label label-default">oval:ssg-test_var_partition_nosuid:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var</td><td>/dev/mapper/rhel-var</td><td>3b9bf26c-12ea-4f64-abc1-3fac0b5d2263</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">783872</td><td role="num">64665</td><td role="num">719207</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec" id="rule-detail-idm45662294425376"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add noexec Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec mediumCCE-82151-2 </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /var/tmp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_tmp_noexec:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82151-2">CCE-82151-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040134</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230522r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>noexec</code> mount option can be used to prevent binaries >from being executed out of <code>/var/tmp</code>. >Add the <code>noexec</code> option to the fourth column of ><code>/etc/fstab</code> for the line which controls mounting of ><code>/var/tmp</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Allowing users to execute binaries from world-writable directories >such as <code>/var/tmp</code> should never be necessary in normal operation and >can expose the system to potential compromise.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec on /var/tmp</span>Â > <span class="label label-default">oval:ssg-test_var_tmp_partition_noexec:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/tmp</td><td>/dev/mapper/rhel-var_tmp</td><td>5cdb94cd-dc68-4f07-aca4-c8f069f590f1</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10098</td><td role="num">249486</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_home_noexec" id="rule-detail-idm45662294413248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add noexec Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_noexec mediumCCE-83328-5 </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /home</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_home_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_home_noexec:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:32+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83328-5">CCE-83328-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>noexec</code> mount option can be used to prevent binaries from being >executed out of <code>/home</code>. >Add the <code>noexec</code> option to the fourth column of ><code>/etc/fstab</code> for the line which controls mounting of ><code>/home</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/home</code> directory contains data of individual users. Binaries in >this directory should not be considered as trusted and users should not be >able to execute them.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec on /home</span>Â > <span class="label label-default">oval:ssg-test_home_partition_noexec:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/home</td><td>/dev/mapper/rhel-home</td><td>249c85b7-b274-4df5-8ef4-8790ff211f6a</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">13527</td><td role="num">246057</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_noexec" id="rule-detail-idm45662294406560"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add noexec Option to /varxccdf_org.ssgproject.content_rule_mount_option_var_noexec mediumCCE-83330-1 </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /var</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_noexec:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:32+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83330-1">CCE-83330-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>noexec</code> mount option can be used to prevent binaries from being >executed out of <code>/var</code>. >Add the <code>noexec</code> option to the fourth column of ><code>/etc/fstab</code> for the line which controls mounting of ><code>/var</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/var</code> directory contains variable system data such as logs, >mails and caches. No binaries should be executed from this directory.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec on /var</span>Â > <span class="label label-default">oval:ssg-test_var_partition_noexec:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var</td><td>/dev/mapper/rhel-var</td><td>3b9bf26c-12ea-4f64-abc1-3fac0b5d2263</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">783872</td><td role="num">64660</td><td role="num">719212</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_boot_noexec" id="rule-detail-idm45662294399872"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add noexec Option to /bootxccdf_org.ssgproject.content_rule_mount_option_boot_noexec mediumCCE-83316-0 </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /boot</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_boot_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_boot_noexec:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:32+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83316-0">CCE-83316-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>noexec</code> mount option can be used to prevent binaries from being >executed out of <code>/boot</code>. >Add the <code>noexec</code> option to the fourth column of ><code>/etc/fstab</code> for the line which controls mounting of ><code>/boot</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/boot</code> partition contains the kernel and the bootloader. No >binaries should be executed from this partition after the booting process >finishes.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec on /boot</span>Â > <span class="label label-default">oval:ssg-test_boot_partition_noexec:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/boot</td><td>/dev/vda1</td><td>9bdb2e77-09b5-4440-bb45-2979a88c80fd</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">129704</td><td role="num">59981</td><td role="num">69723</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid" id="rule-detail-idm45662294387776"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid mediumCCE-82065-4 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /var/log</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_log_nosuid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:32+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82065-4">CCE-82065-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040127</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230515r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nosuid</code> mount option can be used to prevent >execution of setuid programs in <code>/var/log</code>. The SUID and SGID permissions >should not be required in directories containing log files. >Add the <code>nosuid</code> option to the fourth column of ><code>/etc/fstab</code> for the line which controls mounting of ><code>/var/log</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of SUID and SGID executables should be tightly controlled. Users >should not be able to execute SUID or SGID binaries from partitions >designated for log files.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /var/log</span>Â > <span class="label label-default">oval:ssg-test_var_log_partition_nosuid:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/log</td><td>/dev/mapper/rhel-var_log</td><td>54ebd97a-fc48-4ff8-9e66-637df9cbc902</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">12678</td><td role="num">246906</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid" id="rule-detail-idm45662294379008"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /optxccdf_org.ssgproject.content_rule_mount_option_opt_nosuid mediumCCE-83319-4 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /opt</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_opt_nosuid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83319-4">CCE-83319-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nosuid</code> mount option can be used to prevent >execution of setuid programs in <code>/opt</code>. The SUID and SGID permissions >should not be required in this directory. >Add the <code>nosuid</code> option to the fourth column of ><code>/etc/fstab</code> for the line which controls mounting of ><code>/opt</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of SUID and SGID executables should be tightly controlled. The ><code>/opt</code> directory contains additional software packages. Users should >not be able to execute SUID or SGID binaries from this directory.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /opt</span>Â > <span class="label label-default">oval:ssg-test_opt_partition_nosuid:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/opt</td><td>/dev/mapper/rhel-opt</td><td>77ae06e9-6dd5-4e0a-b037-f3613a9d7b52</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10073</td><td role="num">249511</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid" id="rule-detail-idm45662294369600"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /bootxccdf_org.ssgproject.content_rule_mount_option_boot_nosuid mediumCCE-81033-3 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /boot</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_boot_nosuid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81033-3">CCE-81033-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010571</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230300r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nosuid</code> mount option can be used to prevent >execution of setuid programs in <code>/boot</code>. The SUID and SGID permissions >should not be required on the boot partition. >Add the <code>nosuid</code> option to the fourth column of ><code>/etc/fstab</code> for the line which controls mounting of ><code>/boot</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of SUID and SGID executables should be tightly controlled. Users >should not be able to execute SUID or SGID binaries from boot partitions.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /boot</span>Â > <span class="label label-default">oval:ssg-test_boot_partition_nosuid:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/boot</td><td>/dev/vda1</td><td>9bdb2e77-09b5-4440-bb45-2979a88c80fd</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">129704</td><td role="num">59981</td><td role="num">69723</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec" id="rule-detail-idm45662294365616"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add noexec Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_noexec mediumCCE-82008-4 </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /var/log</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_log_noexec:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82008-4">CCE-82008-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040128</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230516r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>noexec</code> mount option can be used to prevent binaries >from being executed out of <code>/var/log</code>. >Add the <code>noexec</code> option to the fourth column of ><code>/etc/fstab</code> for the line which controls mounting of ><code>/var/log</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Allowing users to execute binaries from directories containing log files >such as <code>/var/log</code> should never be necessary in normal operation and >can expose the system to potential compromise.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec on /var/log</span>Â > <span class="label label-default">oval:ssg-test_var_log_partition_noexec:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/log</td><td>/dev/mapper/rhel-var_log</td><td>54ebd97a-fc48-4ff8-9e66-637df9cbc902</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">12678</td><td role="num">246906</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" id="rule-detail-idm45662294358912"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add noexec Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_noexec mediumCCE-82139-7 </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /tmp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_tmp_noexec:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82139-7">CCE-82139-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.5</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040125</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230513r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>noexec</code> mount option can be used to prevent binaries >from being executed out of <code>/tmp</code>. >Add the <code>noexec</code> option to the fourth column of ><code>/etc/fstab</code> for the line which controls mounting of ><code>/tmp</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Allowing users to execute binaries from world-writable directories >such as <code>/tmp</code> should never be necessary in normal operation and >can expose the system to potential compromise.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec on /tmp</span>Â > <span class="label label-default">oval:ssg-test_tmp_partition_noexec:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/tmp</td><td>/dev/mapper/rhel-tmp</td><td>7046abce-80d6-421c-bff3-99e32bc334a2</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10119</td><td role="num">249465</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" id="rule-detail-idm45662294354928"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid mediumCCE-82140-5 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /tmp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_tmp_nosuid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82140-5">CCE-82140-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.4</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040124</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230512r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nosuid</code> mount option can be used to prevent >execution of setuid programs in <code>/tmp</code>. The SUID and SGID permissions >should not be required in these world-writable directories. >Add the <code>nosuid</code> option to the fourth column of ><code>/etc/fstab</code> for the line which controls mounting of ><code>/tmp</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of SUID and SGID executables should be tightly controlled. Users >should not be able to execute SUID or SGID binaries from temporary storage partitions.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /tmp</span>Â > <span class="label label-default">oval:ssg-test_tmp_partition_nosuid:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/tmp</td><td>/dev/mapper/rhel-tmp</td><td>7046abce-80d6-421c-bff3-99e32bc334a2</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10119</td><td role="num">249465</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid" id="rule-detail-idm45662294350944"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid mediumCCE-82154-6 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /var/tmp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_tmp_nosuid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82154-6">CCE-82154-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.9</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040133</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230521r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nosuid</code> mount option can be used to prevent >execution of setuid programs in <code>/var/tmp</code>. The SUID and SGID permissions >should not be required in these world-writable directories. >Add the <code>nosuid</code> option to the fourth column of ><code>/etc/fstab</code> for the line which controls mounting of ><code>/var/tmp</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of SUID and SGID executables should be tightly controlled. Users >should not be able to execute SUID or SGID binaries from temporary storage partitions.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /var/tmp</span>Â > <span class="label label-default">oval:ssg-test_var_tmp_partition_nosuid:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/tmp</td><td>/dev/mapper/rhel-var_tmp</td><td>5cdb94cd-dc68-4f07-aca4-c8f069f590f1</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10098</td><td role="num">249486</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" id="rule-detail-idm45662294341520"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_nosuid mediumCCE-81050-7 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /home</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_home_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_home_nosuid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81050-7">CCE-81050-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010570</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230299r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nosuid</code> mount option can be used to prevent >execution of setuid programs in <code>/home</code>. The SUID and SGID permissions >should not be required in these user data directories. >Add the <code>nosuid</code> option to the fourth column of ><code>/etc/fstab</code> for the line which controls mounting of ><code>/home</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of SUID and SGID executables should be tightly controlled. Users >should not be able to execute SUID or SGID binaries from user home directory partitions.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /home</span>Â > <span class="label label-default">oval:ssg-test_home_partition_nosuid:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/home</td><td>/dev/mapper/rhel-home</td><td>249c85b7-b274-4df5-8ef4-8790ff211f6a</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">13527</td><td role="num">246057</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions" id="rule-detail-idm45662294334832"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nodev Option to Non-Root Local Partitionsxccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions mediumCCE-82069-6 </div><div class="panel-heading"><h3 class="panel-title">Add nodev Option to Non-Root Local Partitions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_nodev_nonroot_local_partitions:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:34+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82069-6">CCE-82069-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010580</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230301r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nodev</code> mount option prevents files from being interpreted as >character or block devices. Legitimate character and block devices should >exist only in the <code>/dev</code> directory on the root partition or within >chroot jails built for system services. >Add the <code>nodev</code> option to the fourth column of ><code>/etc/fstab</code> for the line which controls mounting of > > any non-root local partitions.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>nodev</code> mount option prevents files from being >interpreted as character or block devices. The only legitimate location >for device files is the <code>/dev</code> directory located on the root partition. >The only exception to this is chroot jails, for which it is not advised >to set <code>nodev</code> on these filesystems.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nodev on local filesystems</span>Â > <span class="label label-default">oval:ssg-test_nodev_nonroot_local_partitions:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_non_root_partitions:obj:1</abbr></strong> of type > <strong>partition_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Filter</th></tr></thead><tbody><tr><td>^/\w.*$</td><td>oval:ssg-state_local_nodev:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid" id="rule-detail-idm45662294330800"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /srvxccdf_org.ssgproject.content_rule_mount_option_srv_nosuid mediumCCE-83322-8 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /srv</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_srv_nosuid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:34+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83322-8">CCE-83322-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nosuid</code> mount option can be used to prevent >execution of setuid programs in <code>/srv</code>. The SUID and SGID permissions >should not be required in this directory. >Add the <code>nosuid</code> option to the fourth column of ><code>/etc/fstab</code> for the line which controls mounting of ><code>/srv</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of SUID and SGID executables should be tightly controlled. The ><code>/srv</code> directory contains files served by various network services such as FTP. Users should >not be able to execute SUID or SGID binaries from this directory.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /srv</span>Â > <span class="label label-default">oval:ssg-test_srv_partition_nosuid:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/srv</td><td>/dev/mapper/rhel-srv</td><td>77751d51-5128-44d4-b904-41179eafa70e</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10073</td><td role="num">249511</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions" id="rule-detail-idm45662294277328"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable NX or XD Support in the BIOSxccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions unknownCCE-83918-3 </div><div class="panel-heading"><h3 class="panel-title">Enable NX or XD Support in the BIOS</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83918-3">CCE-83918-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R9)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-39</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a></p></td></tr><tr><td>Description</td><td><div class="description">Reboot the system and enter the BIOS or Setup configuration menu. >Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located >under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) >on AMD-based systems.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will >allow users to turn the feature on or off at will.</div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32" id="rule-detail-idm45662294273984"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install PAE Kernel on Supported 32-bit x86 Systemsxccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32 unknownCCE-83919-1 </div><div class="panel-heading"><h3 class="panel-title">Install PAE Kernel on Supported 32-bit x86 Systems</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-install_PAE_kernel_on_x86-32:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83919-1">CCE-83919-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R9)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a></p></td></tr><tr><td>Description</td><td><div class="description">Systems that are using the 64-bit x86 kernel package >do not need to install the kernel-PAE package because the 64-bit >x86 kernel already includes this support. However, if the system is >32-bit and also supports the PAE and NX features as >determined in the previous section, the kernel-PAE package should >be installed to enable XD or NX support. >The <code>kernel-PAE</code> package can be installed with the following command: ><pre> >$ sudo yum install kernel-PAE</pre> >The installation process should also have configured the >bootloader to load the new kernel at boot. Verify this after reboot >and modify <code>/etc/default/grub</code> if necessary.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">On 32-bit systems that support the XD or NX bit, the vendor-supplied >PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > The kernel-PAE package should not be >installed on older systems that do not support the XD or NX bit, as >8this may prevent them from booting.8</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">32 bit architecture</span>Â > <span class="label label-default">oval:ssg-test_system_info_architecture_x86:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>localhost.localdomain</td><td>Linux</td><td>4.18.0-314.el8.x86_64</td><td>#1 SMP Tue Jun 15 11:28:48 EDT 2021</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">CPUs support PAE kernel or NX bit</span>Â > <span class="label label-default">oval:ssg-test_PAE_NX_cpu_support:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/proc/cpuinfo</td><td>flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq vmx ssse3 fma cx16 pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves arat umip md_clear arch_capabilities</td></tr></tbody></table><h4><span class="label label-primary">32 bit architecture</span>Â > <span class="label label-default">oval:ssg-test_system_info_architecture_x86:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>localhost.localdomain</td><td>Linux</td><td>4.18.0-314.el8.x86_64</td><td>#1 SMP Tue Jun 15 11:28:48 EDT 2021</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">Package kernel-PAE is installed</span>Â > <span class="label label-default">oval:ssg-test_package_kernel-PAE_installed:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_package_kernel-PAE_installed:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>kernel-PAE</td></tr></tbody></table><h4><span class="label label-primary">check for DEFAULTKERNEL set to kernel-PAE in /etc/sysconfig/kernel</span>Â > <span class="label label-default">oval:ssg-test_defaultkernel_sysconfig_kernel:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_defaultkernel_sysconfig_kernel:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysconfig/kernel</td><td>^\s*DEFAULTKERNEL[\s]*=[\s]*kernel-PAE$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" id="rule-detail-idm45662294269984"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Randomized Layout of Virtual Address Spacexccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space mediumCCE-80916-0 </div><div class="panel-heading"><h3 class="panel-title">Enable Randomized Layout of Virtual Address Space</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_randomize_va_space:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80916-0">CCE-80916-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.6.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002824</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000433-GPOS-00193</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010430</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230280r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.randomize_va_space=2</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.randomize_va_space = 2</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Address space layout randomization (ASLR) makes it more difficult for an >attacker to predict the location of attack code they have introduced into a >process's address space during an attempt at exploitation. Additionally, >ASLR makes it more difficult for an attacker to know the location of >existing code in order to re-purpose it using return oriented programming >(ROP) techniques.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.randomize_va_space static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_kernel_randomize_va_space:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>kernel.randomize_va_space = 2 ></td></tr></tbody></table><h4><span class="label label-primary">kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_randomize_va_space:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>kernel.randomize_va_space = 2 ></td></tr></tbody></table><h4><span class="label label-primary">kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_randomize_va_space:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_randomize_va_space:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_randomize_va_space:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_randomize_va_space:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.randomize_va_space set to 2</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_randomize_va_space:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.randomize_va_space</td><td>2</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" id="rule-detail-idm45662294265984"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Restrict Exposed Kernel Pointer Addresses Accessxccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict mediumCCE-80915-2 </div><div class="panel-heading"><h3 class="panel-title">Restrict Exposed Kernel Pointer Addresses Access</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_kptr_restrict:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80915-2">CCE-80915-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000433-GPOS-00192</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040283</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230547r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_restrict=1</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.kptr_restrict = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Exposing kernel pointers (through procfs or <code>seq_printf()</code>) exposes >kernel writeable structures that can contain functions pointers. If a write vulnereability occurs >in the kernel allowing a write access to any of this structure, the kernel can be compromise. This >option disallow any program withtout the CAP_SYSLOG capability from getting the kernel pointers addresses, >replacing them with 0.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.kptr_restrict static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_kernel_kptr_restrict:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_kernel_kptr_restrict:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_kptr_restrict:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_kernel_kptr_restrict:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_kptr_restrict:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_kptr_restrict:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_kptr_restrict:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d/50-default.conf</td><td>kernel.kptr_restrict = 1 ></td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.kptr_restrict set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_kptr_restrict:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.kptr_restrict</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" id="rule-detail-idm45662294261984"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable ExecShield via sysctlxccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield mediumCCE-80914-5 </div><div class="panel-heading"><h3 class="panel-title">Enable ExecShield via sysctl</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_exec_shield:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80914-5">CCE-80914-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R9)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002530</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-39</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000433-GPOS-00192</a></p></td></tr><tr><td>Description</td><td><div class="description">By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield is >enabled and can only be disabled if the hardware does not support >ExecShield or is disabled in <code>/etc/default/grub</code>. For Red Hat >Enterprise Linux 7 32-bit systems, <code>sysctl</code> can be used to enable >ExecShield.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">ExecShield uses the segmentation feature on all x86 systems to prevent >execution in memory higher than a certain address. It writes an address as >a limit in the code segment descriptor, to control where code can be >executed, on a per-process basis. When the kernel places a process's memory >regions such as the stack and heap higher than this address, the hardware >prevents execution in that address range. This is enabled by default on the >latest Red Hat and Fedora systems if supported by the hardware.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">32 bit architecture</span>Â > <span class="label label-default">oval:ssg-test_system_info_architecture_x86:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>localhost.localdomain</td><td>Linux</td><td>4.18.0-314.el8.x86_64</td><td>#1 SMP Tue Jun 15 11:28:48 EDT 2021</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.exec-shield set to 1</span>Â > <span class="label label-default">oval:ssg-test_runtime_sysctl_kernel_exec_shield:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sysctl_kernel_exec_shield:obj:1</abbr></strong> of type > <strong>sysctl_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>kernel.exec-shield</td></tr></tbody></table><h4><span class="label label-primary">kernel.exec-shield static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_kernel_exec_shield:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_kernel_exec_shield:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.exec-shield[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â > <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>localhost.localdomain</td><td>Linux</td><td>4.18.0-314.el8.x86_64</td><td>#1 SMP Tue Jun 15 11:28:48 EDT 2021</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â > <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>localhost.localdomain</td><td>Linux</td><td>4.18.0-314.el8.x86_64</td><td>#1 SMP Tue Jun 15 11:28:48 EDT 2021</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â > <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>localhost.localdomain</td><td>Linux</td><td>4.18.0-314.el8.x86_64</td><td>#1 SMP Tue Jun 15 11:28:48 EDT 2021</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â > <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>localhost.localdomain</td><td>Linux</td><td>4.18.0-314.el8.x86_64</td><td>#1 SMP Tue Jun 15 11:28:48 EDT 2021</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â > <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>localhost.localdomain</td><td>Linux</td><td>4.18.0-314.el8.x86_64</td><td>#1 SMP Tue Jun 15 11:28:48 EDT 2021</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â > <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>localhost.localdomain</td><td>Linux</td><td>4.18.0-314.el8.x86_64</td><td>#1 SMP Tue Jun 15 11:28:48 EDT 2021</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">NX is disabled</span>Â > <span class="label label-default">oval:ssg-test_nx_disabled_grub:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_nx_disabled_grub:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/boot/grub2/grub.cfg</td><td>[\s]*noexec[\s]*=[\s]*off</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable" id="rule-detail-idm45662294245120"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Core Dumps for SUID programsxccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable mediumCCE-80912-9 </div><div class="panel-heading"><h3 class="panel-title">Disable Core Dumps for SUID programs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_fs_suid_dumpable:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80912-9">CCE-80912-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.6.1</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11(b)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>fs.suid_dumpable</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.suid_dumpable=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>fs.suid_dumpable = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The core dump of a setuid program is more likely to contain >sensitive data, as the program itself runs with greater privileges than the >user who initiated execution of the program. Disabling the ability for any >setuid program to write a core file decreases the risk of unauthorized access >of such data.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">fs.suid_dumpable static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_fs_suid_dumpable:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>fs.suid_dumpable = 0 ></td></tr></tbody></table><h4><span class="label label-primary">fs.suid_dumpable static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_fs_suid_dumpable:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>fs.suid_dumpable = 0 ></td></tr></tbody></table><h4><span class="label label-primary">fs.suid_dumpable static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_fs_suid_dumpable:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_fs_suid_dumpable:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.suid_dumpable static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_fs_suid_dumpable:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_fs_suid_dumpable:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter fs.suid_dumpable set to 0</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_fs_suid_dumpable:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>fs.suid_dumpable</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_cpu_time_max_percent" id="rule-detail-idm45662294324112"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Limit CPU consumption of the Perf systemxccdf_org.ssgproject.content_rule_sysctl_kernel_perf_cpu_time_max_percent mediumCCE-83373-1 </div><div class="panel-heading"><h3 class="panel-title">Limit CPU consumption of the Perf system</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_cpu_time_max_percent</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_perf_cpu_time_max_percent:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:34+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83373-1">CCE-83373-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.perf_cpu_time_max_percent</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.perf_cpu_time_max_percent=1</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.perf_cpu_time_max_percent = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>kernel.perf_cpu_time_max_percent</code> configures a treshold of >maximum percentile of CPU that can be used by Perf system. Restricting usage >of <code>Perf</code> system decreases risk of potential availability problems.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.perf_cpu_time_max_percent static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_kernel_perf_cpu_time_max_percent:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>kernel.perf_cpu_time_max_percent = 1 ></td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_cpu_time_max_percent static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_perf_cpu_time_max_percent:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>kernel.perf_cpu_time_max_percent = 1 ></td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_cpu_time_max_percent static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_perf_cpu_time_max_percent:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_perf_cpu_time_max_percent:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.perf_cpu_time_max_percent[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_cpu_time_max_percent static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_perf_cpu_time_max_percent:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_perf_cpu_time_max_percent:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.perf_cpu_time_max_percent[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.perf_cpu_time_max_percent set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_perf_cpu_time_max_percent:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.perf_cpu_time_max_percent</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_modules_disabled" id="rule-detail-idm45662294320096"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable loading and unloading of kernel modulesxccdf_org.ssgproject.content_rule_sysctl_kernel_modules_disabled mediumCCE-83397-0 </div><div class="panel-heading"><h3 class="panel-title">Disable loading and unloading of kernel modules</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_modules_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_modules_disabled:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:34+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83397-0">CCE-83397-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R24)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.modules_disabled</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.modules_disabled=1</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.modules_disabled = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Malicious kernel modules can have a significant impact on system security and >availability. Disabling loading of kernel modules prevents this threat. Note >that once this option has been set, it cannot be reverted without doing a >system reboot. Make sure that all needed kernel modules are loaded before >setting this option.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > This rule doesn't come with Bash remediation. Remediating this rule during the installation process disrupts the install and boot process.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45662610550960" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm45662610550960"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Ensure sysctl kernel.modules_disabled is set to 1 > sysctl: > name: kernel.modules_disabled > value: '1' > state: present > reload: true > when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] > tags: > - CCE-83397-0 > - disable_strategy > - low_complexity > - medium_disruption > - medium_severity > - reboot_required > - sysctl_kernel_modules_disabled ></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.modules_disabled static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_kernel_modules_disabled:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_kernel_modules_disabled:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.modules_disabled[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.modules_disabled static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_modules_disabled:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_kernel_modules_disabled:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.modules_disabled[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.modules_disabled static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_modules_disabled:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_modules_disabled:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.modules_disabled[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.modules_disabled static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_modules_disabled:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_modules_disabled:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.modules_disabled[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.modules_disabled set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_modules_disabled:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.modules_disabled</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" id="rule-detail-idm45662294316096"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Restrict Access to Kernel Message Bufferxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict mediumCCE-80913-7 </div><div class="panel-heading"><h3 class="panel-title">Restrict Access to Kernel Message Buffer</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_dmesg_restrict:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:34+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80913-7">CCE-80913-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001314</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11(b)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000138-GPOS-00069</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010375</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230269r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.dmesg_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.dmesg_restrict=1</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.dmesg_restrict = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Unprivileged access to the kernel syslog can expose sensitive kernel >address information.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.dmesg_restrict static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_kernel_dmesg_restrict:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>kernel.dmesg_restrict = 1 ></td></tr></tbody></table><h4><span class="label label-primary">kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_dmesg_restrict:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>kernel.dmesg_restrict = 1 ></td></tr></tbody></table><h4><span class="label label-primary">kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_dmesg_restrict:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_dmesg_restrict:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_dmesg_restrict:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_dmesg_restrict:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.dmesg_restrict set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_dmesg_restrict:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.dmesg_restrict</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_sysrq" id="rule-detail-idm45662294306672"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disallow magic SysRq keyxccdf_org.ssgproject.content_rule_sysctl_kernel_sysrq mediumCCE-83355-8 </div><div class="panel-heading"><h3 class="panel-title">Disallow magic SysRq key</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_sysrq</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_sysrq:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:34+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83355-8">CCE-83355-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.sysrq</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.sysrq=0</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.sysrq = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The Magic SysRq key allows sending certain commands directly to the running >kernel. It can dump various system and process information, potentially >revealing sensitive information. It can also reboot or shutdown the machine, >disturbing its availability.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.sysrq static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_kernel_sysrq:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>kernel.sysrq = 0 ></td></tr></tbody></table><h4><span class="label label-primary">kernel.sysrq static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_sysrq:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>kernel.sysrq = 0 ></td></tr></tbody></table><h4><span class="label label-primary">kernel.sysrq static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_sysrq:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_sysrq:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.sysrq[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.sysrq static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_sysrq:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_sysrq:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.sysrq[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.sysrq set to 0</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_sysrq:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.sysrq</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_pid_max" id="rule-detail-idm45662294302704"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure maximum number of process identifiersxccdf_org.ssgproject.content_rule_sysctl_kernel_pid_max mediumCCE-83366-5 </div><div class="panel-heading"><h3 class="panel-title">Configure maximum number of process identifiers</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_pid_max</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_pid_max:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83366-5">CCE-83366-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.pid_max</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.pid_max=65536</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.pid_max = 65536</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>kernel.pid_max</code> parameter configures upper limit on process >identifiers (PID). If this number is not high enough, it might happen that >forking of new processes is not possible, because all available PIDs are >exhausted. Increasing this number enhances availability.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.pid_max static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_kernel_pid_max:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>kernel.pid_max = 65536 ></td></tr></tbody></table><h4><span class="label label-primary">kernel.pid_max static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_pid_max:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>kernel.pid_max = 65536 ></td></tr></tbody></table><h4><span class="label label-primary">kernel.pid_max static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_pid_max:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_pid_max:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.pid_max[\s]*=[\s]*65536[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.pid_max static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_pid_max:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_pid_max:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.pid_max[\s]*=[\s]*65536[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.pid_max set to 65536</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_pid_max:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.pid_max</td><td>65536</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" id="rule-detail-idm45662294296032"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Restrict usage of ptrace to descendant processesxccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope mediumCCE-80953-3 </div><div class="panel-heading"><h3 class="panel-title">Restrict usage of ptrace to descendant processes</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_yama_ptrace_scope:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80953-3">CCE-80953-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R25)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040282</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230546r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.yama.ptrace_scope</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.yama.ptrace_scope=1</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.yama.ptrace_scope = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Unrestricted usage of ptrace allows compromised binaries to run ptrace >on another processes of the user. Like this, the attacker can steal >sensitive information from the target processes (e.g. SSH sessions, web browser, ...) >without any additional assistance from the user (i.e. without resorting to phishing). ></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_kernel_yama_ptrace_scope:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>kernel.yama.ptrace_scope = 1 ></td></tr></tbody></table><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_yama_ptrace_scope:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>kernel.yama.ptrace_scope = 1 ></td></tr></tbody></table><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_yama_ptrace_scope:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_yama_ptrace_scope:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_yama_ptrace_scope:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_yama_ptrace_scope:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.yama.ptrace_scope set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_yama_ptrace_scope:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.yama.ptrace_scope</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_max_sample_rate" id="rule-detail-idm45662294289328"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Limit sampling frequency of the Perf systemxccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_max_sample_rate mediumCCE-83368-1 </div><div class="panel-heading"><h3 class="panel-title">Limit sampling frequency of the Perf system</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_max_sample_rate</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_perf_event_max_sample_rate:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83368-1">CCE-83368-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.perf_event_max_sample_rate</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.perf_event_max_sample_rate=1</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.perf_event_max_sample_rate = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>kernel.perf_event_max_sample_rate</code> parameter configures maximum >frequency of collecting of samples for the Perf system. It is expressed in >samples per second. Restricting usage of <code>Perf</code> system decreases risk >of potential availability problems.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.perf_event_max_sample_rate static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_kernel_perf_event_max_sample_rate:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>kernel.perf_event_max_sample_rate = 1 ></td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_event_max_sample_rate static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_perf_event_max_sample_rate:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>kernel.perf_event_max_sample_rate = 1 ></td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_event_max_sample_rate static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_perf_event_max_sample_rate:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_perf_event_max_sample_rate:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.perf_event_max_sample_rate[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_event_max_sample_rate static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_perf_event_max_sample_rate:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_perf_event_max_sample_rate:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.perf_event_max_sample_rate[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.perf_event_max_sample_rate set to 1</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_perf_event_max_sample_rate:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.perf_event_max_sample_rate</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid" id="rule-detail-idm45662294285312"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disallow kernel profiling by unprivileged usersxccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid mediumCCE-81054-9 </div><div class="panel-heading"><h3 class="panel-title">Disallow kernel profiling by unprivileged users</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_perf_event_paranoid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81054-9">CCE-81054-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001090</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000138-GPOS-00069</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010376</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230270r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.perf_event_paranoid</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.perf_event_paranoid=2</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.perf_event_paranoid = 2</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Kernel profiling can reveal sensitive information about kernel behaviour.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.perf_event_paranoid static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_kernel_perf_event_paranoid:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>kernel.perf_event_paranoid = 2 ></td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_perf_event_paranoid:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>kernel.perf_event_paranoid = 2 ></td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_perf_event_paranoid:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_perf_event_paranoid:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_perf_event_paranoid:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_perf_event_paranoid:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.perf_event_paranoid set to 2</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_perf_event_paranoid:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.perf_event_paranoid</td><td>2</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_vm_mmap_min_addr" id="rule-detail-idm45662294281312"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Prevent applications from mapping low portion of virtual memoryxccdf_org.ssgproject.content_rule_sysctl_vm_mmap_min_addr mediumCCE-83363-2 </div><div class="panel-heading"><h3 class="panel-title">Prevent applications from mapping low portion of virtual memory</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_vm_mmap_min_addr</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_vm_mmap_min_addr:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83363-2">CCE-83363-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>vm.mmap_min_addr</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w vm.mmap_min_addr=65536</pre> >To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>vm.mmap_min_addr = 65536</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>vm.mmap_min_addr</code> parameter specifies the minimum virtual >address that a process is allowed to mmap. Allowing a process to mmap low >portion of virtual memory can have security implications such as such as >heightened risk of kernel null pointer dereference defects.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">vm.mmap_min_addr static configuration</span>Â > <span class="label label-default">oval:ssg-test_static_sysctl_vm_mmap_min_addr:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>vm.mmap_min_addr = 65536 ></td></tr></tbody></table><h4><span class="label label-primary">vm.mmap_min_addr static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_etc_sysctld_vm_mmap_min_addr:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>vm.mmap_min_addr = 65536 ></td></tr></tbody></table><h4><span class="label label-primary">vm.mmap_min_addr static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_run_sysctld_vm_mmap_min_addr:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_vm_mmap_min_addr:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*vm.mmap_min_addr[\s]*=[\s]*65536[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">vm.mmap_min_addr static configuration in /etc/sysctl.d/*.conf</span>Â > <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_vm_mmap_min_addr:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_vm_mmap_min_addr:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*vm.mmap_min_addr[\s]*=[\s]*65536[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter vm.mmap_min_addr set to 65536</span>Â > <span class="label label-default">oval:ssg-test_sysctl_runtime_vm_mmap_min_addr:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>vm.mmap_min_addr</td><td>65536</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_password" id="rule-detail-idm45662294213488"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Boot Loader Password in grub2xccdf_org.ssgproject.content_rule_grub2_password highCCE-80828-7 </div><div class="panel-heading"><h3 class="panel-title">Set Boot Loader Password in grub2</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_password</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-grub2_password:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80828-7">CCE-80828-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R17)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.5.2</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000213</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000080-GPOS-00048</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010150</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230235r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The grub2 boot loader should have a superuser account and password >protection enabled to protect boot-time settings. ><br><br> >Since plaintext passwords are a security risk, generate a hash for the password >by running the following command: > ><pre>$ grub2-setpassword</pre> > >When prompted, enter the password that was selected. ><br><br> > ><br><br> >Once the superuser password has been added, >update the ><code>grub.cfg</code> file by running: ><pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Password protection on the boot loader configuration ensures >users with physical access cannot trivially alter >important bootloader settings. These include which kernel to use, >and whether to enter single-user mode.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation >must be automated as a component of machine provisioning, or followed manually as outlined above. > >Also, do NOT manually add the superuser account and password to the ><code>grub.cfg</code> file as the grub2-mkconfig command overwrites this file.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check if /boot/grub2/grub.cfg does not exist</span>Â > <span class="label label-default">oval:ssg-test_grub2_password_file_boot_grub2_grub_cfg_absent:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/boot/grub2/grub.cfg</td><td>regular</td><td>0</td><td>0</td><td>6460</td><td><code>rw-r--r--Â </code></td></tr></tbody></table><h4><span class="label label-primary">make sure a password is defined in /boot/grub2/user.cfg</span>Â > <span class="label label-default">oval:ssg-test_grub2_password_usercfg:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_grub2_password_usercfg:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/boot/grub2/user.cfg</td><td>^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">make sure a password is defined in /boot/grub2/grub.cfg</span>Â > <span class="label label-default">oval:ssg-test_grub2_password_grubcfg:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_grub2_password_grubcfg:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/boot/grub2/grub.cfg</td><td>^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">superuser is defined in /boot/grub2/grub.cfg files.</span>Â > <span class="label label-default">oval:ssg-test_bootloader_superuser:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/boot/grub2/grub.cfg</td><td> set superusers="root"</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notapplicable rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_uefi_password" id="rule-detail-idm45662294195872"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set the UEFI Boot Loader Passwordxccdf_org.ssgproject.content_rule_grub2_uefi_password highCCE-80829-5 </div><div class="panel-heading"><h3 class="panel-title">Set the UEFI Boot Loader Password</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_uefi_password</td></tr><tr><td>Result</td><td class="rule-result rule-result-notapplicable"><div><abbr title="The Rule was not applicable to the target of the test. For example, the Rule might have been specific to a different version of the target OS, or it might have been a test against a platform feature that was not installed.">notapplicable</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80829-5">CCE-80829-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R17)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.5.2</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000213</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000080-GPOS-00048</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010140</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230234r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The grub2 boot loader should have a superuser account and password >protection enabled to protect boot-time settings. ><br><br> >Since plaintext passwords are a security risk, generate a hash for the password >by running the following command: > ><pre>$ grub2-setpassword</pre> > >When prompted, enter the password that was selected. ><br><br> > >Once the superuser password has been added, >update the ><code>grub.cfg</code> file by running: > ><pre>grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Password protection on the boot loader configuration ensures >users with physical access cannot trivially alter >important bootloader settings. These include which kernel to use, >and whether to enter single-user mode.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation >must be automated as a component of machine provisioning, or followed manually as outlined above. > >Also, do NOT manually add the superuser account and password to the ><code>grub.cfg</code> file as the grub2-mkconfig command overwrites this file.</div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force" id="rule-detail-idm45662294233024"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->IOMMU configuration directivexccdf_org.ssgproject.content_rule_grub2_enable_iommu_force unknownCCE-83920-9 </div><div class="panel-heading"><h3 class="panel-title">IOMMU configuration directive</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-grub2_enable_iommu_force:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83920-9">CCE-83920-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R11)</a></p></td></tr><tr><td>Description</td><td><div class="description">On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some > of the system critical units such as the memory.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">On x86 architectures, activating the I/OMMU prevents the system from arbritrary accesses potentially made by > hardware devices.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Depending on the hardware, devices and operating system used, enabling IOMMU can cause hardware instabilities. Proper function and stability should be assessed before applying remediation to production systems.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check forkernel command line parameters iommu=force in /boot/grub2/grubenv for all kernels</span>Â > <span class="label label-default">oval:ssg-test_grub2_iommu_argument_grub_env:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/boot/grub2/grubenv</td><td>kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rd.lvm.lv=rhel/usr rhgb quiet iommu=force</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sebool_deny_execmem" id="rule-detail-idm45662293988928"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable the deny_execmem SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_deny_execmem mediumCCE-83307-9 </div><div class="panel-heading"><h3 class="panel-title">Enable the deny_execmem SELinux Boolean</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sebool_deny_execmem</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sebool_deny_execmem:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83307-9">CCE-83307-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R67)</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, the SELinux boolean <code>deny_execmem</code> is disabled. >If this setting is disabled, it should be enabled. > >To disable the <code>deny_execmem</code> SELinux boolean, run the following command: ><pre>$ sudo setsebool -P deny_execmem off</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Allowing user domain applications to map a memory region as both writable and >executable makes them more susceptible to data execution attacks.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > This rule doesn't come with a remediation, as enabling this SELinux boolean can cause >applications to malfunction, for example Graphical login managers and Firefox.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Proper function and stability should be assessed before applying enabling the SELinux boolean in production systems.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">deny_execmem is configured correctly</span>Â > <span class="label label-default">oval:ssg-test_sebool_deny_execmem:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Current status</th><th>Pending status</th></tr></thead><tbody><tr><td>deny_execmem</td><td role="num">false</td><td role="num">false</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sebool_secure_mode_insmod" id="rule-detail-idm45662293692272"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable the secure_mode_insmod SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_secure_mode_insmod mediumCCE-83310-3 </div><div class="panel-heading"><h3 class="panel-title">Disable the secure_mode_insmod SELinux Boolean</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sebool_secure_mode_insmod</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sebool_secure_mode_insmod:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83310-3">CCE-83310-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R67)</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, the SELinux boolean <code>secure_mode_insmod</code> is disabled. >If this setting is enabled, it should be disabled. > >To disable the <code>secure_mode_insmod</code> SELinux boolean, run the following command: ><pre>$ sudo setsebool -P secure_mode_insmod off</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">secure_mode_insmod is configured correctly</span>Â > <span class="label label-default">oval:ssg-test_sebool_secure_mode_insmod:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Current status</th><th>Pending status</th></tr></thead><tbody><tr><td>secure_mode_insmod</td><td role="num">true</td><td role="num">true</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap" id="rule-detail-idm45662293648208"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable the selinuxuser_execheap SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap mediumCCE-80949-1 </div><div class="panel-heading"><h3 class="panel-title">Disable the selinuxuser_execheap SELinux Boolean</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sebool_selinuxuser_execheap:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80949-1">CCE-80949-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R67)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, the SELinux boolean <code>selinuxuser_execheap</code> is disabled. >When enabled this boolean is enabled it allows selinuxusers to execute code from the heap. >If this setting is enabled, it should be disabled. > >To disable the <code>selinuxuser_execheap</code> SELinux boolean, run the following command: ><pre>$ sudo setsebool -P selinuxuser_execheap off</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Disabling code execution from the heap blocks buffer overflow attacks.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">selinuxuser_execheap is configured correctly</span>Â > <span class="label label-default">oval:ssg-test_sebool_selinuxuser_execheap:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Current status</th><th>Pending status</th></tr></thead><tbody><tr><td>selinuxuser_execheap</td><td role="num">false</td><td role="num">false</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sebool_polyinstantiation_enabled" id="rule-detail-idm45662293611760"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable the polyinstantiation_enabled SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_polyinstantiation_enabled mediumCCE-84230-2 </div><div class="panel-heading"><h3 class="panel-title">Disable the polyinstantiation_enabled SELinux Boolean</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sebool_polyinstantiation_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sebool_polyinstantiation_enabled:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84230-2">CCE-84230-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R39)</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, the SELinux boolean <code>polyinstantiation_enabled</code> is disabled. >If this setting is enabled, it should be disabled. > >To disable the <code>polyinstantiation_enabled</code> SELinux boolean, run the following command: ><pre>$ sudo setsebool -P polyinstantiation_enabled off</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">polyinstantiation_enabled is configured correctly</span>Â > <span class="label label-default">oval:ssg-test_sebool_polyinstantiation_enabled:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Current status</th><th>Pending status</th></tr></thead><tbody><tr><td>polyinstantiation_enabled</td><td role="num">true</td><td role="num">true</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execstack" id="rule-detail-idm45662293604848"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->disable the selinuxuser_execstack SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_selinuxuser_execstack mediumCCE-80951-7 </div><div class="panel-heading"><h3 class="panel-title">disable the selinuxuser_execstack SELinux Boolean</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execstack</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sebool_selinuxuser_execstack:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80951-7">CCE-80951-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R67)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, the SELinux boolean <code>selinuxuser_execstack</code> is enabled. >This setting should be disabled as unconfined executables should not be able >to make their stack executable. > >To disable the <code>selinuxuser_execstack</code> SELinux boolean, run the following command: ><pre>$ sudo setsebool -P selinuxuser_execstack off</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Disabling code execution from the stack blocks buffer overflow attacks.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">selinuxuser_execstack is configured correctly</span>Â > <span class="label label-default">oval:ssg-test_sebool_selinuxuser_execstack:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Current status</th><th>Pending status</th></tr></thead><tbody><tr><td>selinuxuser_execstack</td><td role="num">false</td><td role="num">false</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sebool_ssh_sysadm_login" id="rule-detail-idm45662293536848"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable the ssh_sysadm_login SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_ssh_sysadm_login mediumCCE-83311-1 </div><div class="panel-heading"><h3 class="panel-title">Disable the ssh_sysadm_login SELinux Boolean</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sebool_ssh_sysadm_login</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sebool_ssh_sysadm_login:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83311-1">CCE-83311-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R67)</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, the SELinux boolean <code>ssh_sysadm_login</code> is disabled. >If this setting is enabled, it should be disabled. > >To disable the <code>ssh_sysadm_login</code> SELinux boolean, run the following command: ><pre>$ sudo setsebool -P ssh_sysadm_login off</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">ssh_sysadm_login is configured correctly</span>Â > <span class="label label-default">oval:ssg-test_sebool_ssh_sysadm_login:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Current status</th><th>Pending status</th></tr></thead><tbody><tr><td>ssh_sysadm_login</td><td role="num">false</td><td role="num">false</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_setroubleshoot-plugins_removed" id="rule-detail-idm45662294161408"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall setroubleshoot-plugins Packagexccdf_org.ssgproject.content_rule_package_setroubleshoot-plugins_removed lowCCE-84250-0 </div><div class="panel-heading"><h3 class="panel-title">Uninstall setroubleshoot-plugins Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_setroubleshoot-plugins_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_setroubleshoot-plugins_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84250-0">CCE-84250-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R68)</a></p></td></tr><tr><td>Description</td><td><div class="description">The SETroubleshoot plugins are used to analyze SELinux AVC data. The service provides information around configuration errors, >unauthorized intrusions, and other potential errors. >The <code>setroubleshoot-plugins</code> package can be removed with the following command: ><pre> >$ sudo yum erase setroubleshoot-plugins</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The SETroubleshoot service is an unnecessary daemon to >have running on a server.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package setroubleshoot-plugins is removed</span>Â > <span class="label label-default">oval:ssg-test_package_setroubleshoot-plugins_removed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_setroubleshoot-plugins_removed:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>setroubleshoot-plugins</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_setroubleshoot-server_removed" id="rule-detail-idm45662294157392"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall setroubleshoot-server Packagexccdf_org.ssgproject.content_rule_package_setroubleshoot-server_removed lowCCE-83490-3 </div><div class="panel-heading"><h3 class="panel-title">Uninstall setroubleshoot-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_setroubleshoot-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_setroubleshoot-server_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83490-3">CCE-83490-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R68)</a></p></td></tr><tr><td>Description</td><td><div class="description">The SETroubleshoot service notifies desktop users of SELinux >denials. The service provides information around configuration errors, >unauthorized intrusions, and other potential errors. >The <code>setroubleshoot-server</code> package can be removed with the following command: ><pre> >$ sudo yum erase setroubleshoot-server</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The SETroubleshoot service is an unnecessary daemon to have >running on a server.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package setroubleshoot-server is removed</span>Â > <span class="label label-default">oval:ssg-test_package_setroubleshoot-server_removed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_setroubleshoot-server_removed:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>setroubleshoot-server</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed" id="rule-detail-idm45662294153392"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall setroubleshoot Packagexccdf_org.ssgproject.content_rule_package_setroubleshoot_removed lowCCE-82755-0 </div><div class="panel-heading"><h3 class="panel-title">Uninstall setroubleshoot Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_setroubleshoot_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82755-0">CCE-82755-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R68)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.7.1.6</a></p></td></tr><tr><td>Description</td><td><div class="description">The SETroubleshoot service notifies desktop users of SELinux >denials. The service provides information around configuration errors, >unauthorized intrusions, and other potential errors. >The <code>setroubleshoot</code> package can be removed with the following command: ><pre> >$ sudo yum erase setroubleshoot</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The SETroubleshoot service is an unnecessary daemon to >have running on a server, especially if >X Windows is removed or disabled.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package setroubleshoot is removed</span>Â > <span class="label label-default">oval:ssg-test_package_setroubleshoot_removed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_setroubleshoot_removed:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>setroubleshoot</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_policytype" id="rule-detail-idm45662294149392"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype mediumCCE-80868-3 </div><div class="panel-heading"><h3 class="panel-title">Configure SELinux Policy</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_policytype</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-selinux_policytype:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80868-3">CCE-80868-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R66)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.7.1.3</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002165</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002696</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010450</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230282r627750_rule</a>, <a href="">SRG-OS-000445-VMM-001780</a></p></td></tr><tr><td>Description</td><td><div class="description">The SELinux <code>targeted</code> policy is appropriate for >general-purpose desktops and servers, as well as systems in many other roles. >To configure the system to use this policy, add or correct the following line >in <code>/etc/selinux/config</code>: ><pre>SELINUXTYPE=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_policy_name">targeted</abbr></pre> >Other policies, such as <code>mls</code>, provide additional security labeling >and greater confinement but are not compatible with many general-purpose >use cases.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Setting the SELinux policy to <code>targeted</code> or a more specialized policy >ensures the system will confine processes that are likely to be >targeted for exploitation, such as network or system services. ><br><br> >Note: During the development or debugging of SELinux modules, it is common to >temporarily place non-production systems in <code>permissive</code> mode. In such >temporary cases, SELinux policies should be developed, and once work >is completed, the system should be reconfigured to ><code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_policy_name">targeted</abbr></code>.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file</span>Â > <span class="label label-default">oval:ssg-test_selinux_policy:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/selinux/config</td><td>SELINUXTYPE=targeted > > ></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_state" id="rule-detail-idm45662294132368"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state mediumCCE-80869-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure SELinux State is Enforcing</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_state</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-selinux_state:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80869-1">CCE-80869-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R4)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R66)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.7.1.4</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002165</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002696</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010170</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230240r627750_rule</a>, <a href="">SRG-OS-000445-VMM-001780</a></p></td></tr><tr><td>Description</td><td><div class="description">The SELinux state should be set to <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_state">enforcing</abbr></code> at >system boot time. In the file <code>/etc/selinux/config</code>, add or correct the >following line to configure the system to boot into enforcing mode: ><pre>SELINUX=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_state">enforcing</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Setting the SELinux state to enforcing ensures SELinux is able to confine >potentially compromised processes to the security policy, which is designed to >prevent them from causing damage to the system or further elevating their >privileges.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/selinux/enforce is 1</span>Â > <span class="label label-default">oval:ssg-test_etc_selinux_config:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/selinux/config</td><td>SELINUX=enforcing</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias" id="rule-detail-idm45662293434656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure System to Forward All Mail For The Root Accountxccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias lowCCE-82381-5 </div><div class="panel-heading"><h3 class="panel-title">Configure System to Forward All Mail For The Root Account</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-postfix_client_configure_mail_alias:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82381-5">CCE-82381-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R49)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000139</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000046-GPOS-00022</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-030030</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230389r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">Make sure that mails delivered to root user are forwarded to a monitored >email address. Make sure that the address ><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_postfix_root_mail_alias">system.administrator@mail.mil</abbr> is a valid email address >reachable from the system in question. Use the following command to >configure the alias: ><pre>$ sudo echo "root: <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_postfix_root_mail_alias">system.administrator@mail.mil</abbr>" >> /etc/aliases >$ sudo newaliases</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">A number of system services utilize email messages sent to the root user to >notify system administrators of active or impending issues. These messages must >be forwarded to at least one monitored email address.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check if root has the correct mail alias.</span>Â > <span class="label label-default">oval:ssg-test_postfix_client_configure_mail_alias:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/aliases</td><td>root: system.administrator@mail.mil</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled" id="rule-detail-idm45662293429808"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Postfix Network Listeningxccdf_org.ssgproject.content_rule_postfix_network_listening_disabled mediumCCE-82174-4 </div><div class="panel-heading"><h3 class="panel-title">Disable Postfix Network Listening</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-postfix_network_listening_disabled:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82174-4">CCE-82174-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R48)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.2.18</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000382</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a></p></td></tr><tr><td>Description</td><td><div class="description">Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following ><code>inet_interfaces</code> line appears: ><pre>inet_interfaces = <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_postfix_inet_interfaces">loopback-only</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">This ensures <code>postfix</code> accepts mail messages >(such as cron job reports) from the local system only, >and not from the network, which protects it from network attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package postfix is installed</span>Â > <span class="label label-default">oval:ssg-test_service_postfix_package_postfix_installed:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_postfix_package_postfix_installed:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>postfix</td></tr></tbody></table><h4><span class="label label-primary">Test that the postfix service is running</span>Â > <span class="label label-default">oval:ssg-test_service_running_postfix:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of postfix">oval:ssg-obj_service_running_postfix:obj:1</abbr></strong> of type > <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^postfix\.(socket|service)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â > <span class="label label-default">oval:ssg-test_multi_user_wants_postfix:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var-tmp.mount</td><td>var.mount</td><td>sysinit.target</td><td>plymouth-read-write.service</td><td>lvm2-monitor.service</td><td>cryptsetup.target</td><td>systemd-hwdb-update.service</td><td>sys-kernel-debug.mount</td><td>local-fs.target</td><td>-.mount</td><td>srv.mount</td><td>opt.mount</td><td>home.mount</td><td>var-log.mount</td><td>tmp.mount</td><td>var-log-audit.mount</td><td>usr.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>ostree-remount.service</td><td>lvm2-lvmpolld.socket</td><td>systemd-journal-flush.service</td><td>nis-domainname.service</td><td>iscsi-onboot.service</td><td>ldconfig.service</td><td>systemd-udevd.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-utmp.service</td><td>systemd-random-seed.service</td><td>plymouth-start.service</td><td>dev-mqueue.mount</td><td>systemd-tmpfiles-setup.service</td><td>systemd-update-done.service</td><td>systemd-sysctl.service</td><td>systemd-modules-load.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-binfmt.service</td><td>selinux-autorelabel-mark.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>dev-hugepages.mount</td><td>systemd-udev-trigger.service</td><td>systemd-machine-id-commit.service</td><td>systemd-sysusers.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>sys-kernel-config.mount</td><td>loadmodules.service</td><td>swap.target</td><td>dev-mapper-rhel\x2dswap.swap</td><td>kmod-static-nodes.service</td><td>multipathd.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-journald.service</td><td>dracut-shutdown.service</td><td>paths.target</td><td>timers.target</td><td>dnf-makecache.timer</td><td>dnf-automatic.timer</td><td>mlocate-updatedb.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-journald.socket</td><td>avahi-daemon.socket</td><td>systemd-journald-dev-log.socket</td><td>dm-event.socket</td><td>libvirtd-ro.socket</td><td>dbus.socket</td><td>libvirtd.socket</td><td>virtlogd.socket</td><td>virtlockd.socket</td><td>systemd-coredump.socket</td><td>iscsiuio.socket</td><td>systemd-udevd-kernel.socket</td><td>multipathd.socket</td><td>systemd-initctl.socket</td><td>iscsid.socket</td><td>cups.socket</td><td>systemd-udevd-control.socket</td><td>rpcbind.socket</td><td>sssd-kcm.socket</td><td>microcode.service</td><td>mdmonitor.service</td><td>smartd.service</td><td>sssd.service</td><td>plymouth-quit-wait.service</td><td>auditd.service</td><td>nfs-client.target</td><td>auth-rpcgss-module.service</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>getty@tty1.service</td><td>vdo.service</td><td>plymouth-quit.service</td><td>mcelog.service</td><td>systemd-ask-password-wall.path</td><td>ksm.service</td><td>tuned.service</td><td>rpcbind.service</td><td>rsyslog.service</td><td>ModemManager.service</td><td>chronyd.service</td><td>systemd-logind.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>NetworkManager.service</td><td>libstoragemgmt.service</td><td>vmtoolsd.service</td><td>sshd.service</td><td>ksmtuned.service</td><td>firewalld.service</td><td>irqbalance.service</td><td>cups.service</td><td>systemd-user-sessions.service</td><td>rhsmcertd.service</td><td>avahi-daemon.service</td><td>dbus.service</td><td>kdump.service</td><td>libvirtd.service</td><td>cups.path</td><td>remote-fs.target</td><td>iscsi.service</td><td>var-lib-machines.mount</td><td>atd.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â > <span class="label label-default">oval:ssg-test_multi_user_wants_postfix_socket:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var-tmp.mount</td><td>var.mount</td><td>sysinit.target</td><td>plymouth-read-write.service</td><td>lvm2-monitor.service</td><td>cryptsetup.target</td><td>systemd-hwdb-update.service</td><td>sys-kernel-debug.mount</td><td>local-fs.target</td><td>-.mount</td><td>srv.mount</td><td>opt.mount</td><td>home.mount</td><td>var-log.mount</td><td>tmp.mount</td><td>var-log-audit.mount</td><td>usr.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>ostree-remount.service</td><td>lvm2-lvmpolld.socket</td><td>systemd-journal-flush.service</td><td>nis-domainname.service</td><td>iscsi-onboot.service</td><td>ldconfig.service</td><td>systemd-udevd.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-utmp.service</td><td>systemd-random-seed.service</td><td>plymouth-start.service</td><td>dev-mqueue.mount</td><td>systemd-tmpfiles-setup.service</td><td>systemd-update-done.service</td><td>systemd-sysctl.service</td><td>systemd-modules-load.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-binfmt.service</td><td>selinux-autorelabel-mark.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>dev-hugepages.mount</td><td>systemd-udev-trigger.service</td><td>systemd-machine-id-commit.service</td><td>systemd-sysusers.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>sys-kernel-config.mount</td><td>loadmodules.service</td><td>swap.target</td><td>dev-mapper-rhel\x2dswap.swap</td><td>kmod-static-nodes.service</td><td>multipathd.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-journald.service</td><td>dracut-shutdown.service</td><td>paths.target</td><td>timers.target</td><td>dnf-makecache.timer</td><td>dnf-automatic.timer</td><td>mlocate-updatedb.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-journald.socket</td><td>avahi-daemon.socket</td><td>systemd-journald-dev-log.socket</td><td>dm-event.socket</td><td>libvirtd-ro.socket</td><td>dbus.socket</td><td>libvirtd.socket</td><td>virtlogd.socket</td><td>virtlockd.socket</td><td>systemd-coredump.socket</td><td>iscsiuio.socket</td><td>systemd-udevd-kernel.socket</td><td>multipathd.socket</td><td>systemd-initctl.socket</td><td>iscsid.socket</td><td>cups.socket</td><td>systemd-udevd-control.socket</td><td>rpcbind.socket</td><td>sssd-kcm.socket</td><td>microcode.service</td><td>mdmonitor.service</td><td>smartd.service</td><td>sssd.service</td><td>plymouth-quit-wait.service</td><td>auditd.service</td><td>nfs-client.target</td><td>auth-rpcgss-module.service</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>getty@tty1.service</td><td>vdo.service</td><td>plymouth-quit.service</td><td>mcelog.service</td><td>systemd-ask-password-wall.path</td><td>ksm.service</td><td>tuned.service</td><td>rpcbind.service</td><td>rsyslog.service</td><td>ModemManager.service</td><td>chronyd.service</td><td>systemd-logind.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>NetworkManager.service</td><td>libstoragemgmt.service</td><td>vmtoolsd.service</td><td>sshd.service</td><td>ksmtuned.service</td><td>firewalld.service</td><td>irqbalance.service</td><td>cups.service</td><td>systemd-user-sessions.service</td><td>rhsmcertd.service</td><td>avahi-daemon.service</td><td>dbus.service</td><td>kdump.service</td><td>libvirtd.service</td><td>cups.path</td><td>remote-fs.target</td><td>iscsi.service</td><td>var-lib-machines.mount</td><td>atd.service</td></tr></tbody></table><h4><span class="label label-primary">inet_interfaces in /etc/postfix/main.cf should be set correctly</span>Â > <span class="label label-default">oval:ssg-test_postfix_network_listening_disabled:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="inet_interfaces in /etc/postfix/main.cf should be set correctly">oval:ssg-obj_postfix_network_listening_disabled:obj:1</abbr></strong> of type > <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/postfix/main.cf</td><td>^[\s]*inet_interfaces[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_sendmail_removed" id="rule-detail-idm45662293442768"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall Sendmail Packagexccdf_org.ssgproject.content_rule_package_sendmail_removed mediumCCE-81039-0 </div><div class="panel-heading"><h3 class="panel-title">Uninstall Sendmail Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_sendmail_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_sendmail_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81039-0">CCE-81039-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000381</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040002</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230489r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">Sendmail is not the default mail transfer agent and is >not installed by default. >The <code>sendmail</code> package can be removed with the following command: ><pre> >$ sudo yum erase sendmail</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The sendmail software was not developed with security in mind and >its design prevents it from being effectively contained by SELinux. Postfix >should be used instead.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package sendmail is removed</span>Â > <span class="label label-default">oval:ssg-test_package_sendmail_removed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_sendmail_removed:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>sendmail</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_root_login" id="rule-detail-idm45662293182000"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable SSH Root Loginxccdf_org.ssgproject.content_rule_sshd_disable_root_login mediumCCE-80901-2 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Root Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_root_login</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_root_login:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80901-2">CCE-80901-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R19)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R21)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.10</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000770</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000109-GPOS-00056</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010550</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230296r627750_rule</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description">The root user should never be allowed to login to a >system directly over a network. >To disable root login via SSH, add or correct the following line >in <code>/etc/ssh/sshd_config</code>: ><pre>PermitRootLogin no</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Even though the communications channel may be encrypted, an additional layer of >security is gained by extending the policy of not logging directly on as root. >In addition, logging in with a user-specific account provides individual >accountability of actions performed on the system and also helps to minimize >direct attack attempts on root's password.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â > <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â > <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â > <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>9.el8</td><td>8.0p1</td><td>0:8.0p1-9.el8</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-9.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â > <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â > <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â > <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>9.el8</td><td>8.0p1</td><td>0:8.0p1-9.el8</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-9.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config file</span>Â > <span class="label label-default">oval:ssg-test_sshd_disable_root_login:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>PermitRootLogin no</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" id="rule-detail-idm45662293153536"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set SSH Idle Timeout Intervalxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout mediumCCE-80906-1 </div><div class="panel-heading"><h3 class="panel-title">Set SSH Idle Timeout Interval</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_set_idle_timeout:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80906-1">CCE-80906-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R29)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.13</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002361</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.5</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000126-GPOS-00066</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000163-GPOS-00072</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000279-GPOS-00109</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000395-GPOS-00175</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010200</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230244r627750_rule</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description">SSH allows administrators to set an idle timeout interval. After this interval >has passed, the idle user will be automatically logged out. ><br><br> >To set an idle timeout interval, edit the following line in <code>/etc/ssh/sshd_config</code> as >follows: ><pre>ClientAliveInterval <b><abbr title="from TestResult: xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">600</abbr></b></pre> ><br><br> >The timeout <b>interval</b> is given in seconds. For example, have a timeout >of 10 minutes, set <b>interval</b> to 600. ><br><br> >If a shorter timeout has already been set for the login shell, that value will >preempt any SSH setting made in <code>/etc/ssh/sshd_config</code>. Keep in mind that >some processes may stop SSH from correctly detecting that the user is idle.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Terminating an idle ssh session within a short time period reduces the window of >opportunity for unauthorized personnel to take control of a management session >enabled on the console or console port that has been let unattended.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > SSH disconnecting idle clients will not have desired effect without also >configuring ClientAliveCountMax in the SSH service configuration.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Following conditions may prevent the SSH session to time out: ><ul><li>Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.</li><li>Any <code>scp</code> or <code>sftp</code> activity by the same user to the host resets the timeout.</li></ul></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â > <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â > <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â > <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>9.el8</td><td>8.0p1</td><td>0:8.0p1-9.el8</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-9.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â > <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â > <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â > <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>9.el8</td><td>8.0p1</td><td>0:8.0p1-9.el8</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-9.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">timeout is configured</span>Â > <span class="label label-default">oval:ssg-test_sshd_idle_timeout:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>ClientAliveInterval 600</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â > <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â > <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â > <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>9.el8</td><td>8.0p1</td><td>0:8.0p1-9.el8</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-9.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â > <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â > <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â > <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>9.el8</td><td>8.0p1</td><td>0:8.0p1-9.el8</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-9.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file</span>Â > <span class="label label-default">oval:ssg-test_sshd_clientalivecountmax:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>ClientAliveCountMax 0 ></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive" id="rule-detail-idm45662293114672"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set SSH Client Alive Count Maxxccdf_org.ssgproject.content_rule_sshd_set_keepalive mediumCCE-80907-9 </div><div class="panel-heading"><h3 class="panel-title">Set SSH Client Alive Count Max</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_set_keepalive</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_set_keepalive:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80907-9">CCE-80907-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R29)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.13</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002361</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.5</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000163-GPOS-00072</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000279-GPOS-00109</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description">The SSH server sends at most <code>ClientAliveCountMax</code> messages >during a SSH session and waits for a response from the SSH client. >The option <code>ClientAliveInterval</code> configures timeout after >each <code>ClientAliveCountMax</code> message. If the SSH server does not >receive a response from the client, then the connection is considered idle >and terminated. >For SSH earlier than v8.2, a <code>ClientAliveCountMax</code> value of <code>0</code> >causes an idle timeout precisely when the <code>ClientAliveInterval</code> is set. >Starting with v8.2, a value of <code>0</code> disables the timeout functionality >completely. If the option is set to a number greater than <code>0</code>, then >the idle session will be disconnected after ><code>ClientAliveInterval * ClientAliveCountMax</code> seconds.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">This ensures a user login will be terminated as soon as the <code>ClientAliveInterval</code> >is reached.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â > <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â > <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â > <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>9.el8</td><td>8.0p1</td><td>0:8.0p1-9.el8</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-9.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â > <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â > <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â > <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>9.el8</td><td>8.0p1</td><td>0:8.0p1-9.el8</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-9.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file</span>Â > <span class="label label-default">oval:ssg-test_sshd_clientalivecountmax:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>ClientAliveCountMax 0 ></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" id="rule-detail-idm45662293233344"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Permissions on SSH Server Private *_key Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key mediumCCE-82424-3 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on SSH Server Private *_key Key Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_sshd_private_key:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82424-3">CCE-82424-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.3</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010490</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230287r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"> > >To properly set the permissions of <code>/etc/ssh/*_key</code>, run the command: ><pre>$ sudo chmod 0640 /etc/ssh/*_key</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">If an unauthorized user obtains the private SSH host key file, the host could be >impersonated.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Testing mode of /etc/ssh/</span>Â > <span class="label label-default">oval:ssg-test_file_permissions_sshd_private_key:tst:1</span>Â > <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/etc/ssh/">oval:ssg-object_file_permissions_sshd_private_key:obj:1</abbr></strong> of type > <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Filter</th></tr></thead><tbody><tr><td>/etc/ssh/</td><td>^.*_key$</td><td>oval:ssg-state_file_permissions_sshd_private_key_mode_not_0640:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_chrony_installed" id="rule-detail-idm45662292904944"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->The Chrony package is installedxccdf_org.ssgproject.content_rule_package_chrony_installed mediumCCE-82874-9 </div><div class="panel-heading"><h3 class="panel-title">The Chrony package is installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_chrony_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_chrony_installed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82874-9">CCE-82874-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.2.1.1</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000355-GPOS-00143</a></p></td></tr><tr><td>Description</td><td><div class="description">System time should be synchronized between all systems in an environment. This is >typically done by establishing an authoritative time server or set of servers and having all >systems synchronize their clocks to them. >The <code>chrony</code> package can be installed with the following command: ><pre> >$ sudo yum install chrony</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Time synchronization is important to support time sensitive security mechanisms like >Kerberos and also ensures log files have consistent time records across the enterprise, >which aids in forensic investigations.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package chrony is installed</span>Â > <span class="label label-default">oval:ssg-test_package_chrony_installed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>chrony</td><td>x86_64</td><td>(none)</td><td>2.el8</td><td>3.5</td><td>0:3.5-2.el8</td><td>199e2f91fd431d51</td><td>chrony-0:3.5-2.el8.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server" id="rule-detail-idm45662292879888"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->A remote time server for Chrony is configuredxccdf_org.ssgproject.content_rule_chronyd_specify_remote_server mediumCCE-82873-1 </div><div class="panel-heading"><h3 class="panel-title">A remote time server for Chrony is configured</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-chronyd_specify_remote_server:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82873-1">CCE-82873-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.2.1.2</a>, <a href="">0988</a>, <a href="">1405</a></p></td></tr><tr><td>Description</td><td><div class="description"><code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to >synchronize system clocks across a variety of systems and use a source that is highly >accurate. More information on <code>chrony</code> can be found at > > <a href="http://chrony.tuxfamily.org/">http://chrony.tuxfamily.org/</a>. ><code>Chrony</code> can be configured to be a client and/or a server. >Add or edit server or pool lines to <code>/etc/chrony.conf</code> as appropriate: ><pre>server <remote-server></pre> >Multiple servers may be configured.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If <code>chrony</code> is in use on the system proper configuration is vital to ensuring time >synchronization is working properly.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Ensure at least one NTP server is set</span>Â > <span class="label label-default">oval:ssg-test_chronyd_remote_server:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/chrony.conf</td><td>pool 2.rhel.pool.ntp.org iburst</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed" id="rule-detail-idm45662292836352"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall rsh-server Packagexccdf_org.ssgproject.content_rule_package_rsh-server_removed highCCE-82184-3 </div><div class="panel-heading"><h3 class="panel-title">Uninstall rsh-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsh-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_rsh-server_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82184-3">CCE-82184-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000381</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040010</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230492r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>rsh-server</code> package can be removed with the following command: ><pre> >$ sudo yum erase rsh-server</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>rsh-server</code> service provides unencrypted remote access service which does not >provide for the confidentiality and integrity of user passwords or the remote session and has very weak >authentication. If a privileged user were to login using this service, the privileged user password >could be compromised. The <code>rsh-server</code> package provides several obsolete and insecure >network services. Removing it decreases the risk of those services' accidental (or intentional) >activation.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsh-server is removed</span>Â > <span class="label label-default">oval:ssg-test_package_rsh-server_removed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_rsh-server_removed:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>rsh-server</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsh_removed" id="rule-detail-idm45662292832352"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall rsh Packagexccdf_org.ssgproject.content_rule_package_rsh_removed unknownCCE-82183-5 </div><div class="panel-heading"><h3 class="panel-title">Uninstall rsh Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsh_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_rsh_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82183-5">CCE-82183-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>rsh</code> package contains the client commands >for the rsh services</div></td></tr><tr><td>Rationale</td><td><div class="rationale">These legacy clients contain numerous security exposures and have >been replaced with the more secure SSH package. Even if the server is removed, >it is best to ensure the clients are also removed to prevent users from >inadvertently attempting to use these commands and therefore exposing >their credentials. Note that removing the <code>rsh</code> package removes >the clients for <code>rsh</code>,<code>rcp</code>, and <code>rlogin</code>.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsh is removed</span>Â > <span class="label label-default">oval:ssg-test_package_rsh_removed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_rsh_removed:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>rsh</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_ypbind_removed" id="rule-detail-idm45662292812208"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Remove NIS Clientxccdf_org.ssgproject.content_rule_package_ypbind_removed unknownCCE-82181-9 </div><div class="panel-heading"><h3 class="panel-title">Remove NIS Client</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_ypbind_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_ypbind_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82181-9">CCE-82181-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.3.1</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a></p></td></tr><tr><td>Description</td><td><div class="description">The Network Information Service (NIS), formerly known as Yellow Pages, >is a client-server directory service protocol used to distribute system configuration >files. The NIS client (<code>ypbind</code>) was used to bind a system to an NIS server >and receive the distributed configuration files.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The NIS service is inherently an insecure system that has been vulnerable >to DOS attacks, buffer overflows and has poor authentication for querying >NIS maps. NIS generally has been replaced by such protocols as Lightweight >Directory Access Protocol (LDAP). It is recommended that the service be >removed.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package ypbind is removed</span>Â > <span class="label label-default">oval:ssg-test_package_ypbind_removed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_ypbind_removed:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>ypbind</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_ypserv_removed" id="rule-detail-idm45662292808224"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall ypserv Packagexccdf_org.ssgproject.content_rule_package_ypserv_removed highCCE-82432-6 </div><div class="panel-heading"><h3 class="panel-title">Uninstall ypserv Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_ypserv_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_ypserv_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82432-6">CCE-82432-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.2.17</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000381</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>ypserv</code> package can be removed with the following command: ><pre> >$ sudo yum erase ypserv</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The NIS service provides an unencrypted authentication service which does >not provide for the confidentiality and integrity of user passwords or the >remote session. > >Removing the <code>ypserv</code> package decreases the risk of the accidental >(or intentional) activation of NIS or NIS+ services.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package ypserv is removed</span>Â > <span class="label label-default">oval:ssg-test_package_ypserv_removed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_ypserv_removed:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>ypserv</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed" id="rule-detail-idm45662292801536"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall telnet-server Packagexccdf_org.ssgproject.content_rule_package_telnet-server_removed highCCE-82182-7 </div><div class="panel-heading"><h3 class="panel-title">Uninstall telnet-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_telnet-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_telnet-server_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82182-7">CCE-82182-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000381</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040000</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230487r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>telnet-server</code> package can be removed with the following command: ><pre> >$ sudo yum erase telnet-server</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">It is detrimental for operating systems to provide, or install by default, >functionality exceeding requirements or mission objectives. These >unnecessary capabilities are often overlooked and therefore may remain >unsecure. They increase the risk to the platform by providing additional >attack vectors. ><br> >The telnet service provides an unencrypted remote access service which does >not provide for the confidentiality and integrity of user passwords or the >remote session. If a privileged user were to login using this service, the >privileged user password could be compromised. ><br> >Removing the <code>telnet-server</code> package decreases the risk of the >telnet service's accidental (or intentional) activation.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package telnet-server is removed</span>Â > <span class="label label-default">oval:ssg-test_package_telnet-server_removed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_telnet-server_removed:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>telnet-server</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_telnet_removed" id="rule-detail-idm45662292797536"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Remove telnet Clientsxccdf_org.ssgproject.content_rule_package_telnet_removed lowCCE-80849-3 </div><div class="panel-heading"><h3 class="panel-title">Remove telnet Clients</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_telnet_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_telnet_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80849-3">CCE-80849-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.3.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></td></tr><tr><td>Description</td><td><div class="description">The telnet client allows users to start connections to other systems via >the telnet protocol.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>telnet</code> protocol is insecure and unencrypted. The use >of an unencrypted transmission medium could allow an unauthorized user >to steal credentials. The <code>ssh</code> package provides an >encrypted session and stronger security and is included in Red Hat Enterprise Linux 8.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package telnet is removed</span>Â > <span class="label label-default">oval:ssg-test_package_telnet_removed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_telnet_removed:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>telnet</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_xinetd_removed" id="rule-detail-idm45662292790848"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall xinetd Packagexccdf_org.ssgproject.content_rule_package_xinetd_removed lowCCE-80850-1 </div><div class="panel-heading"><h3 class="panel-title">Uninstall xinetd Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_xinetd_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_xinetd_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80850-1">CCE-80850-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.1.1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000305</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>xinetd</code> package can be removed with the following command: ><pre> >$ sudo yum erase xinetd</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Removing the <code>xinetd</code> package decreases the risk of the >xinetd service's accidental (or intentional) activation.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package xinetd is removed</span>Â > <span class="label label-default">oval:ssg-test_package_xinetd_removed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_xinetd_removed:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>xinetd</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_talk-server_removed" id="rule-detail-idm45662292784160"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall talk-server Packagexccdf_org.ssgproject.content_rule_package_talk-server_removed mediumCCE-82180-1 </div><div class="panel-heading"><h3 class="panel-title">Uninstall talk-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_talk-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_talk-server_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82180-1">CCE-82180-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>talk-server</code> package can be removed with the following command: <pre> $ sudo yum erase talk-server</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The talk software presents a security risk as it uses unencrypted protocols >for communications. Removing the <code>talk-server</code> package decreases the >risk of the accidental (or intentional) activation of talk services.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package talk-server is removed</span>Â > <span class="label label-default">oval:ssg-test_package_talk-server_removed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_talk-server_removed:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>talk-server</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_talk_removed" id="rule-detail-idm45662292780160"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall talk Packagexccdf_org.ssgproject.content_rule_package_talk_removed mediumCCE-80848-5 </div><div class="panel-heading"><h3 class="panel-title">Uninstall talk Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_talk_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_talk_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80848-5">CCE-80848-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>talk</code> package contains the client program for the >Internet talk protocol, which allows the user to chat with other users on >different systems. Talk is a communication program which copies lines from one >terminal to the terminal of another user. >The <code>talk</code> package can be removed with the following command: ><pre> >$ sudo yum erase talk</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The talk software presents a security risk as it uses unencrypted protocols >for communications. Removing the <code>talk</code> package decreases the >risk of the accidental (or intentional) activation of talk client program.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package talk is removed</span>Â > <span class="label label-default">oval:ssg-test_package_talk_removed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_talk_removed:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>talk</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_tftp-server_removed" id="rule-detail-idm45662292776192"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall tftp-server Packagexccdf_org.ssgproject.content_rule_package_tftp-server_removed highCCE-82436-7 </div><div class="panel-heading"><h3 class="panel-title">Uninstall tftp-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_tftp-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_tftp-server_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82436-7">CCE-82436-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000318</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000368</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001812</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001813</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040190</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230533r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>tftp-server</code> package can be removed with the following command: <pre> $ sudo yum erase tftp-server</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Removing the <code>tftp-server</code> package decreases the risk of the accidental >(or intentional) activation of tftp services. ><br><br> >If TFTP is required for operational support (such as transmission of router >configurations), its use must be documented with the Information Systems >Securty Manager (ISSM), restricted to only authorized personnel, and have >access control rules established.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package tftp-server is removed</span>Â > <span class="label label-default">oval:ssg-test_package_tftp-server_removed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_tftp-server_removed:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>tftp-server</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_tftp_removed" id="rule-detail-idm45662292772192"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Remove tftp Daemonxccdf_org.ssgproject.content_rule_package_tftp_removed lowCCE-83590-0 </div><div class="panel-heading"><h3 class="panel-title">Remove tftp Daemon</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_tftp_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_tftp_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83590-0">CCE-83590-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a></p></td></tr><tr><td>Description</td><td><div class="description">Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, >typically used to automatically transfer configuration or boot files between systems. >TFTP does not support authentication and can be easily hacked. The package ><code>tftp</code> is a client program that allows for connections to a <code>tftp</code> server.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">It is recommended that TFTP be removed, unless there is a specific need >for TFTP (such as a boot server). In that case, use extreme caution when configuring >the services.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package tftp is removed</span>Â > <span class="label label-default">oval:ssg-test_package_tftp_removed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_tftp_removed:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>tftp</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed" id="rule-detail-idm45662292762832"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall DHCP Server Packagexccdf_org.ssgproject.content_rule_package_dhcp_removed mediumCCE-83385-5 </div><div class="panel-heading"><h3 class="panel-title">Uninstall DHCP Server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_dhcp_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_dhcp_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83385-5">CCE-83385-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a></p></td></tr><tr><td>Description</td><td><div class="description">If the system does not need to act as a DHCP server, >the dhcp package can be uninstalled. >The <code>dhcp</code> package can be removed with the following command: ><pre> >$ sudo yum erase dhcp</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Removing the DHCP server ensures that it cannot be easily or >accidentally reactivated and disrupt network operation.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package dhcp-server is removed</span>Â > <span class="label label-default">oval:ssg-test_package_dhcp-server_removed:tst:1</span>Â > <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_dhcp-server_removed:obj:1</abbr></strong> of type > <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>dhcp-server</td></tr></tbody></table></div></div></div></div></div><a href="#result-details" class="btn btn-info noprint">Scroll back to the first rule</a></div><div id="rear-matter"><div class="row top-spacer-10"><div class="col-md-12 well well-lg"><div class="rear-matter">Red Hat and Red Hat Enterprise Linux are either registered >trademarks or trademarks of Red Hat, Inc. in the United States and other >countries. All other names are registered trademarks or trademarks of their >respective companies. ></div></div></div></div></div></div><footer id="footer"><div class="container"><p class="muted credit"> > Generated using <a href="http://open-scap.org">OpenSCAP</a> 1.3.5</p></div></footer></body></html>
<!DOCTYPE html><html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_anssi_bp28_high | OpenSCAP Evaluation Report</title><style> /*! * Bootstrap v3.3.7 (http://getbootstrap.com) * Copyright 2011-2016 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */ /*! * Generated using the Bootstrap Customizer (https://getbootstrap.com/customize/?id=8160adef040364fa8f688f6065765caf) * Config saved to config.json and https://gist.github.com/8160adef040364fa8f688f6065765caf *//*! * Bootstrap v3.3.7 (http://getbootstrap.com) * Copyright 2011-2016 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}h1{font-size:2em;margin:0.67em 0}mark{background:#ff0;color:#000}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sup{top:-0.5em}sub{bottom:-0.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;height:0}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace, monospace;font-size:1em}button,input,optgroup,select,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button,select{text-transform:none}button,html input[type="button"],input[type="reset"],input[type="submit"]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0}input{line-height:normal}input[type="checkbox"],input[type="radio"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type="number"]::-webkit-inner-spin-button,input[type="number"]::-webkit-outer-spin-button{height:auto}input[type="search"]{-webkit-appearance:textfield;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}input[type="search"]::-webkit-search-cancel-button,input[type="search"]::-webkit-search-decoration{-webkit-appearance:none}fieldset{border:1px solid #c0c0c0;margin:0 2px;padding:0.35em 0.625em 0.75em}legend{border:0;padding:0}textarea{overflow:auto}optgroup{font-weight:bold}table{border-collapse:collapse;border-spacing:0}td,th{padding:0}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@media print{*,*:before,*:after{background:transparent !important;color:#000 !important;-webkit-box-shadow:none !important;box-shadow:none !important;text-shadow:none !important}a,a:visited{text-decoration:underline}a[href^="#"]:after,a[href^="javascript:"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100% !important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}.navbar{display:none}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000 !important}.label{border:1px solid #000}.table{border-collapse:collapse !important}.table td,.table th{background-color:#fff !important}.table-bordered th,.table-bordered td{border:1px solid #ddd !important}}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}*:before,*:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive{display:block;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out;display:inline-block;max-width:100%;height:auto}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;margin:-1px;padding:0;overflow:hidden;clip:rect(0, 0, 0, 0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}[role="button"]{cursor:pointer}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:normal;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}mark,.mark{background-color:#fcf8e3;padding:.2em}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover,a.text-primary:focus{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover,a.text-success:focus{color:#2b542c}.text-info{color:#31708f}a.text-info:hover,a.text-info:focus{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover,a.text-warning:focus{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover,a.text-danger:focus{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover,a.bg-primary:focus{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover,a.bg-success:focus{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover,a.bg-info:focus{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover,a.bg-warning:focus{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover,a.bg-danger:focus{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;list-style:none;margin-left:-5px}.list-inline>li{display:inline-block;padding-left:5px;padding-right:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:bold}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;clear:left;text-align:right;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;border-right:5px solid #eee;border-left:0;text-align:right}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.25)}kbd kbd{padding:0;font-size:100%;font-weight:bold;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;word-break:break-all;word-wrap:break-word;color:#333;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{margin-right:auto;margin-left:auto;padding-left:15px;padding-right:15px}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{margin-right:auto;margin-left:auto;padding-left:15px;padding-right:15px}.row{margin-left:-15px;margin-right:-15px}.col-xs-1, .col-sm-1, .col-md-1, .col-lg-1, .col-xs-2, .col-sm-2, .col-md-2, .col-lg-2, .col-xs-3, .col-sm-3, .col-md-3, .col-lg-3, .col-xs-4, .col-sm-4, .col-md-4, .col-lg-4, .col-xs-5, .col-sm-5, .col-md-5, .col-lg-5, .col-xs-6, .col-sm-6, .col-md-6, .col-lg-6, .col-xs-7, .col-sm-7, .col-md-7, .col-lg-7, .col-xs-8, .col-sm-8, .col-md-8, .col-lg-8, .col-xs-9, .col-sm-9, .col-md-9, .col-lg-9, .col-xs-10, .col-sm-10, .col-md-10, .col-lg-10, .col-xs-11, .col-sm-11, .col-md-11, .col-lg-11, .col-xs-12, .col-sm-12, .col-md-12, .col-lg-12{position:relative;min-height:1px;padding-left:15px;padding-right:15px}.col-xs-1, .col-xs-2, .col-xs-3, .col-xs-4, .col-xs-5, .col-xs-6, .col-xs-7, .col-xs-8, .col-xs-9, .col-xs-10, .col-xs-11, .col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6, .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1, .col-lg-2, .col-lg-3, .col-lg-4, .col-lg-5, .col-lg-6, .col-lg-7, .col-lg-8, .col-lg-9, .col-lg-10, .col-lg-11, .col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}caption{padding-top:8px;padding-bottom:8px;color:#777;text-align:left}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table .table{background-color:#fff}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-of-type(odd){background-color:#f9f9f9}.table-hover>tbody>tr:hover{background-color:#f5f5f5}table col[class*="col-"]{position:static;float:none;display:table-column}table td[class*="col-"],table th[class*="col-"]{position:static;float:none;display:table-cell}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}.table-responsive{overflow-x:auto;min-height:0.01%}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-y:hidden;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{padding:0;margin:0;border:0;min-width:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:bold}input[type="search"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type="radio"],input[type="checkbox"]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type="file"]{display:block}input[type="range"]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type="file"]:focus,input[type="radio"]:focus,input[type="checkbox"]:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-webkit-transition:border-color ease-in-out .15s, -webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s, box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s, box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control::-ms-expand{border:0;background-color:transparent}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{background-color:#eee;opacity:1}.form-control[disabled],fieldset[disabled] .form-control{cursor:not-allowed}textarea.form-control{height:auto}input[type="search"]{-webkit-appearance:none}@media screen and (-webkit-min-device-pixel-ratio:0){input[type="date"].form-control,input[type="time"].form-control,input[type="datetime-local"].form-control,input[type="month"].form-control{line-height:34px}input[type="date"].input-sm,input[type="time"].input-sm,input[type="datetime-local"].input-sm,input[type="month"].input-sm,.input-group-sm input[type="date"],.input-group-sm input[type="time"],.input-group-sm input[type="datetime-local"],.input-group-sm input[type="month"]{line-height:30px}input[type="date"].input-lg,input[type="time"].input-lg,input[type="datetime-local"].input-lg,input[type="month"].input-lg,.input-group-lg input[type="date"],.input-group-lg input[type="time"],.input-group-lg input[type="datetime-local"],.input-group-lg input[type="month"]{line-height:46px}}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{min-height:20px;padding-left:20px;margin-bottom:0;font-weight:normal;cursor:pointer}.radio input[type="radio"],.radio-inline input[type="radio"],.checkbox input[type="checkbox"],.checkbox-inline input[type="checkbox"]{position:absolute;margin-left:-20px;margin-top:4px \9}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{position:relative;display:inline-block;padding-left:20px;margin-bottom:0;vertical-align:middle;font-weight:normal;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type="radio"][disabled],input[type="checkbox"][disabled],input[type="radio"].disabled,input[type="checkbox"].disabled,fieldset[disabled] input[type="radio"],fieldset[disabled] input[type="checkbox"]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0;min-height:34px}.form-control-static.input-lg,.form-control-static.input-sm{padding-left:0;padding-right:0}.input-sm{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.form-group-sm select.form-control{height:30px;line-height:30px}.form-group-sm textarea.form-control,.form-group-sm select[multiple].form-control{height:auto}.form-group-sm .form-control-static{height:30px;min-height:32px;padding:6px 10px;font-size:12px;line-height:1.5}.input-lg{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.form-group-lg select.form-control{height:46px;line-height:46px}.form-group-lg textarea.form-control,.form-group-lg select[multiple].form-control{height:auto}.form-group-lg .form-control-static{height:46px;min-height:38px;padding:11px 16px;font-size:18px;line-height:1.33}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:0;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center;pointer-events:none}.input-lg+.form-control-feedback,.input-group-lg+.form-control-feedback,.form-group-lg .form-control+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback,.input-group-sm+.form-control-feedback,.form-group-sm .form-control+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline,.has-success.radio label,.has-success.checkbox label,.has-success.radio-inline label,.has-success.checkbox-inline label{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;border-color:#3c763d;background-color:#dff0d8}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline,.has-warning.radio label,.has-warning.checkbox label,.has-warning.radio-inline label,.has-warning.checkbox-inline label{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;border-color:#8a6d3b;background-color:#fcf8e3}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline,.has-error.radio label,.has-error.checkbox label,.has-error.radio-inline label,.has-error.checkbox-inline label{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;border-color:#a94442;background-color:#f2dede}.has-error .form-control-feedback{color:#a94442}.has-feedback label~.form-control-feedback{top:25px}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .form-control-static{display:inline-block}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type="radio"],.form-inline .checkbox input[type="checkbox"]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{margin-top:0;margin-bottom:0;padding-top:7px}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-left:-15px;margin-right:-15px}@media (min-width:768px){.form-horizontal .control-label{text-align:right;margin-bottom:0;padding-top:7px}}.form-horizontal .has-feedback .form-control-feedback{right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:11px;font-size:18px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px;font-size:12px}}.btn{display:inline-block;margin-bottom:0;font-weight:normal;text-align:center;vertical-align:middle;-ms-touch-action:manipulation;touch-action:manipulation;cursor:pointer;background-image:none;border:1px solid transparent;white-space:nowrap;padding:6px 12px;font-size:14px;line-height:1.42857143;border-radius:4px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none}.btn:focus,.btn:active:focus,.btn.active:focus,.btn.focus,.btn:active.focus,.btn.active.focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus,.btn.focus{color:#333;text-decoration:none}.btn:active,.btn.active{outline:0;background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{cursor:not-allowed;opacity:.65;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none}a.btn.disabled,fieldset[disabled] a.btn{pointer-events:none}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:focus,.btn-default.focus{color:#333;background-color:#e6e6e6;border-color:#8c8c8c}.btn-default:hover{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active:hover,.btn-default.active:hover,.open>.dropdown-toggle.btn-default:hover,.btn-default:active:focus,.btn-default.active:focus,.open>.dropdown-toggle.btn-default:focus,.btn-default:active.focus,.btn-default.active.focus,.open>.dropdown-toggle.btn-default.focus{color:#333;background-color:#d4d4d4;border-color:#8c8c8c}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled.focus,.btn-default[disabled].focus,fieldset[disabled] .btn-default.focus{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:focus,.btn-primary.focus{color:#fff;background-color:#3071a9;border-color:#193c5a}.btn-primary:hover{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active:hover,.btn-primary.active:hover,.open>.dropdown-toggle.btn-primary:hover,.btn-primary:active:focus,.btn-primary.active:focus,.open>.dropdown-toggle.btn-primary:focus,.btn-primary:active.focus,.btn-primary.active.focus,.open>.dropdown-toggle.btn-primary.focus{color:#fff;background-color:#285e8e;border-color:#193c5a}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled.focus,.btn-primary[disabled].focus,fieldset[disabled] .btn-primary.focus{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:focus,.btn-success.focus{color:#fff;background-color:#449d44;border-color:#255625}.btn-success:hover{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active:hover,.btn-success.active:hover,.open>.dropdown-toggle.btn-success:hover,.btn-success:active:focus,.btn-success.active:focus,.open>.dropdown-toggle.btn-success:focus,.btn-success:active.focus,.btn-success.active.focus,.open>.dropdown-toggle.btn-success.focus{color:#fff;background-color:#398439;border-color:#255625}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled.focus,.btn-success[disabled].focus,fieldset[disabled] .btn-success.focus{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:focus,.btn-info.focus{color:#fff;background-color:#31b0d5;border-color:#1b6d85}.btn-info:hover{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active:hover,.btn-info.active:hover,.open>.dropdown-toggle.btn-info:hover,.btn-info:active:focus,.btn-info.active:focus,.open>.dropdown-toggle.btn-info:focus,.btn-info:active.focus,.btn-info.active.focus,.open>.dropdown-toggle.btn-info.focus{color:#fff;background-color:#269abc;border-color:#1b6d85}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled.focus,.btn-info[disabled].focus,fieldset[disabled] .btn-info.focus{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:focus,.btn-warning.focus{color:#fff;background-color:#ec971f;border-color:#985f0d}.btn-warning:hover{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active:hover,.btn-warning.active:hover,.open>.dropdown-toggle.btn-warning:hover,.btn-warning:active:focus,.btn-warning.active:focus,.open>.dropdown-toggle.btn-warning:focus,.btn-warning:active.focus,.btn-warning.active.focus,.open>.dropdown-toggle.btn-warning.focus{color:#fff;background-color:#d58512;border-color:#985f0d}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled.focus,.btn-warning[disabled].focus,fieldset[disabled] .btn-warning.focus{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:focus,.btn-danger.focus{color:#fff;background-color:#c9302c;border-color:#761c19}.btn-danger:hover{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active:hover,.btn-danger.active:hover,.open>.dropdown-toggle.btn-danger:hover,.btn-danger:active:focus,.btn-danger.active:focus,.open>.dropdown-toggle.btn-danger:focus,.btn-danger:active.focus,.btn-danger.active.focus,.open>.dropdown-toggle.btn-danger.focus{color:#fff;background-color:#ac2925;border-color:#761c19}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled.focus,.btn-danger[disabled].focus,fieldset[disabled] .btn-danger.focus{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{color:#428bca;font-weight:normal;border-radius:0}.btn-link,.btn-link:active,.btn-link.active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type="submit"].btn-block,input[type="reset"].btn-block,input[type="button"].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition-property:height, visibility;-o-transition-property:height, visibility;transition-property:height, visibility;-webkit-transition-duration:.35s;-o-transition-duration:.35s;transition-duration:.35s;-webkit-transition-timing-function:ease;-o-transition-timing-function:ease;transition-timing-function:ease}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn,.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn-group:last-child:not(:first-child)>.btn:first-child{border-bottom-left-radius:0;border-top-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-left:8px;padding-right:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-left:12px;padding-right:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-top-left-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-right-radius:0;border-top-left-radius:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-right-radius:0;border-top-left-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{float:none;display:table-cell;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle="buttons"]>.btn input[type="radio"],[data-toggle="buttons"]>.btn-group>.btn input[type="radio"],[data-toggle="buttons"]>.btn input[type="checkbox"],[data-toggle="buttons"]>.btn-group>.btn input[type="checkbox"]{position:absolute;clip:rect(0, 0, 0, 0);pointer-events:none}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*="col-"]{float:none;padding-left:0;padding-right:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group .form-control:focus{z-index:3}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:normal;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type="radio"],.input-group-addon input[type="checkbox"]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-bottom-right-radius:0;border-top-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-bottom-left-radius:0;border-top-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{z-index:2;margin-left:-1px}.nav{margin-bottom:0;padding-left:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;background-color:transparent;cursor:not-allowed}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent;cursor:default}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{text-align:center;margin-bottom:5px}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{text-align:center;margin-bottom:5px}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-right-radius:0;border-top-left-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{overflow-x:visible;padding-right:15px;padding-left:15px;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);-webkit-overflow-scrolling:touch}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block !important;height:auto !important;padding-bottom:0;overflow:visible !important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-left:0;padding-right:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-device-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;padding:15px 15px;font-size:18px;line-height:20px;height:50px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}.navbar-brand>img{display:block}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;margin-right:15px;padding:9px 10px;margin-top:8px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}}.navbar-form{margin-left:-15px;margin-right:-15px;padding:10px 15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);margin-top:8px;margin-bottom:8px}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .form-control-static{display:inline-block}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type="radio"],.navbar-form .checkbox input[type="checkbox"]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}.navbar-form .form-group:last-child{margin-bottom:0}}@media (min-width:768px){.navbar-form{width:auto;border:0;margin-left:0;margin-right:0;padding-top:0;padding-bottom:0;-webkit-box-shadow:none;box-shadow:none}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-right-radius:0;border-top-left-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{margin-bottom:0;border-top-right-radius:4px;border-top-left-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-left:15px;margin-right:15px}}@media (min-width:768px){.navbar-left{float:left !important}.navbar-right{float:right !important;margin-right:-15px}.navbar-right~.navbar-right{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{background-color:#e7e7e7;color:#555}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{background-color:#080808;color:#fff}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:bold;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:bold;color:#fff;line-height:1;vertical-align:middle;white-space:nowrap;text-align:center;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge,.btn-group-xs>.btn .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}.nav-pills>li>a>.badge{margin-left:3px}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:bold}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{background-color:#dff0d8;border-color:#d6e9c6;color:#3c763d}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{background-color:#d9edf7;border-color:#bce8f1;color:#31708f}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{background-color:#fcf8e3;border-color:#faebcc;color:#8a6d3b}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{background-color:#f2dede;border-color:#ebccd1;color:#a94442}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{overflow:hidden;height:20px;margin-bottom:20px;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,0.1);box-shadow:inset 0 1px 2px rgba(0,0,0,0.1)}.progress-bar{float:left;width:0%;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,0.05);box-shadow:0 1px 1px rgba(0,0,0,0.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-right-radius:3px;border-top-left-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a,.panel-title>small,.panel-title>.small,.panel-title>small>a,.panel-title>.small>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group,.panel>.panel-collapse>.list-group{margin-bottom:0}.panel>.list-group .list-group-item,.panel>.panel-collapse>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child,.panel>.panel-collapse>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-right-radius:3px;border-top-left-radius:3px}.panel>.list-group:last-child .list-group-item:last-child,.panel>.panel-collapse>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.panel-heading+.panel-collapse>.list-group .list-group-item:first-child{border-top-right-radius:0;border-top-left-radius:0}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table caption,.panel>.table-responsive>.table caption,.panel>.panel-collapse>.table caption{padding-left:15px;padding-right:15px}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-right-radius:3px;border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child{border-bottom-left-radius:3px;border-bottom-right-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive,.panel>.table+.panel-body,.panel>.table-responsive+.panel-body{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{border:0;margin-bottom:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body,.panel-group .panel-heading+.panel-collapse>.list-group{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.modal-open{overflow:hidden}.modal{display:none;overflow:hidden;position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transform:translate(0, -25%);-ms-transform:translate(0, -25%);-o-transform:translate(0, -25%);transform:translate(0, -25%);-webkit-transition:-webkit-transform 0.3s ease-out;-o-transition:-o-transform 0.3s ease-out;transition:transform 0.3s ease-out}.modal.in .modal-dialog{-webkit-transform:translate(0, 0);-ms-transform:translate(0, 0);-o-transform:translate(0, 0);transform:translate(0, 0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;border:1px solid #999;border:1px solid rgba(0,0,0,0.2);border-radius:6px;-webkit-box-shadow:0 3px 9px rgba(0,0,0,0.5);box-shadow:0 3px 9px rgba(0,0,0,0.5);-webkit-background-clip:padding-box;background-clip:padding-box;outline:0}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{opacity:0;filter:alpha(opacity=0)}.modal-backdrop.in{opacity:.5;filter:alpha(opacity=50)}.modal-header{padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-left:5px;margin-bottom:0}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,0.5);box-shadow:0 5px 15px rgba(0,0,0,0.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.panel-body:before,.panel-body:after,.modal-header:before,.modal-header:after,.modal-footer:before,.modal-footer:after{content:" ";display:table}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.panel-body:after,.modal-header:after,.modal-footer:after{clear:both}.center-block{display:block;margin-left:auto;margin-right:auto}.pull-right{float:right !important}.pull-left{float:left !important}.hide{display:none !important}.show{display:block !important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none !important}.affix{position:fixed}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none !important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none !important}@media (max-width:767px){.visible-xs{display:block !important}table.visible-xs{display:table !important}tr.visible-xs{display:table-row !important}th.visible-xs,td.visible-xs{display:table-cell !important}}@media (max-width:767px){.visible-xs-block{display:block !important}}@media (max-width:767px){.visible-xs-inline{display:inline !important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block !important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block !important}table.visible-sm{display:table !important}tr.visible-sm{display:table-row !important}th.visible-sm,td.visible-sm{display:table-cell !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block !important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block !important}table.visible-md{display:table !important}tr.visible-md{display:table-row !important}th.visible-md,td.visible-md{display:table-cell !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block !important}}@media (min-width:1200px){.visible-lg{display:block !important}table.visible-lg{display:table !important}tr.visible-lg{display:table-row !important}th.visible-lg,td.visible-lg{display:table-cell !important}}@media (min-width:1200px){.visible-lg-block{display:block !important}}@media (min-width:1200px){.visible-lg-inline{display:inline !important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block !important}}@media (max-width:767px){.hidden-xs{display:none !important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none !important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none !important}}@media (min-width:1200px){.hidden-lg{display:none !important}}.visible-print{display:none !important}@media print{.visible-print{display:block !important}table.visible-print{display:table !important}tr.visible-print{display:table-row !important}th.visible-print,td.visible-print{display:table-cell !important}}.visible-print-block{display:none !important}@media print{.visible-print-block{display:block !important}}.visible-print-inline{display:none !important}@media print{.visible-print-inline{display:inline !important}}.visible-print-inline-block{display:none !important}@media print{.visible-print-inline-block{display:inline-block !important}}@media print{.hidden-print{display:none !important}} table.treetable span.indenter{display:inline-block;margin:0;padding:0;text-align:right;user-select:none;-khtml-user-select:none;-moz-user-select:none;-o-user-select:none;-webkit-user-select:none;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;width:19px}table.treetable span.indenter a{background-position:left center;background-repeat:no-repeat;display:inline-block;text-decoration:none;width:19px}table.treetable tr.collapsed span.indenter a{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAHlJREFUeNrcU1sNgDAQ6wgmcAM2MICGGlg1gJnNzWQcvwQGy1j4oUl/7tH0mpwzM7SgQyO+EZAUWh2MkkzSWhJwuRAlHYsJwEwyvs1gABDuzqoJcTw5qxaIJN0bgQRgIjnlmn1heSO5PE6Y2YXe+5Cr5+h++gs12AcAS6FS+7YOsj4AAAAASUVORK5CYII=)}table.treetable tr.expanded span.indenter a{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAHFJREFUeNpi/P//PwMlgImBQsA44C6gvhfa29v3MzAwOODRc6CystIRbxi0t7fjDJjKykpGYrwwi1hxnLHQ3t7+jIGBQRJJ6HllZaUUKYEYRYBPOB0gBShKwKGA////48VtbW3/8clTnBIH3gCKkzJgAGvBX0dDm0sCAAAAAElFTkSuQmCC)}table.treetable tr.branch{background-color:#f9f9f9}table.treetable tr.selected{background-color:#3875d7;color:#fff}table.treetable tr span.indenter a{outline:0}tr.rule-overview-needs-attention td a{color:#d9534f}td.rule-result div,span.rule-result{text-align:center;font-weight:bold;color:#fff;background:gray}td.rule-result-fail div,span.rule-result-fail{background:#d9534f}td.rule-result-error div,span.rule-result-error{background:#d9534f}td.rule-result-unknown div,span.rule-result-unknown{background:#f0ad4e}td.rule-result-pass div,span.rule-result-pass{background:#5cb85c}td.rule-result-fixed div,span.rule-result-fixed{background:#5cb85c}.js-only{display:none}.rule-result-filtered,.rule-result-filtered>*{display:none !important}.search-no-match,.search-no-match>*{display:none !important}.rule-detail-fail,.rule-detail-error,.rule-detail-unknown{border:2px solid #d9534f}#footer{text-align:center;margin-top:50px}pre{overflow:auto !important;word-wrap:normal !important;white-space:pre-wrap}div.check-system-details,div.remediation,div.description{width:0;min-width:100%;overflow-x:auto}div.profile-description{white-space:pre-wrap}div.modal-body{margin:50px;padding:0}div.horizontal-scroll{overflow-x:auto}div.top-spacer-10{margin-top:10px}@media print{.noprint{display:none}.label{border:0;padding:0}.container{width:100%}abbr[title]{border:0;text-decoration:none}div.progress{overflow:visible;height:auto}div.progress-bar{width:auto;float:none;width:auto !important;text-align:left}div.panel-body{padding:4px}}</style><script> /*! jQuery v1.12.4 | (c) jQuery Foundation | jquery.org/license */ !function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.toString,k=i.hasOwnProperty,l={},m="1.12.4",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return e.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a){return n.each(this,a)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(e.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor()},push:g,sort:c.sort,splice:c.splice},n.extend=n.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||n.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(e=arguments[h]))for(d in e)a=g[d],c=e[d],g!==c&&(j&&c&&(n.isPlainObject(c)||(b=n.isArray(c)))?(b?(b=!1,f=a&&n.isArray(a)?a:[]):f=a&&n.isPlainObject(a)?a:{},g[d]=n.extend(j,f,c)):void 0!==c&&(g[d]=c));return g},n.extend({expando:"jQuery"+(m+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===n.type(a)},isArray:Array.isArray||function(a){return"array"===n.type(a)},isWindow:function(a){return null!=a&&a==a.window},isNumeric:function(a){var b=a&&a.toString();return!n.isArray(a)&&b-parseFloat(b)+1>=0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},isPlainObject:function(a){var b;if(!a||"object"!==n.type(a)||a.nodeType||n.isWindow(a))return!1;try{if(a.constructor&&!k.call(a,"constructor")&&!k.call(a.constructor.prototype,"isPrototypeOf"))return!1}catch(c){return!1}if(!l.ownFirst)for(b in a)return k.call(a,b);for(b in a);return void 0===b||k.call(a,b)},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?i[j.call(a)]||"object":typeof a},globalEval:function(b){b&&n.trim(b)&&(a.execScript||function(b){a.eval.call(a,b)})(b)},camelCase:function(a){return a.replace(p,"ms-").replace(q,r)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b){var c,d=0;if(s(a)){for(c=a.length;c>d;d++)if(b.call(a[d],d,a[d])===!1)break}else for(d in a)if(b.call(a[d],d,a[d])===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(o,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(s(Object(a))?n.merge(c,"string"==typeof a?[a]:a):g.call(c,a)),c},inArray:function(a,b,c){var d;if(b){if(h)return h.call(b,a,c);for(d=b.length,c=c?0>c?Math.max(0,d+c):c:0;d>c;c++)if(c in b&&b[c]===a)return c}return-1},merge:function(a,b){var c=+b.length,d=0,e=a.length;while(c>d)a[e++]=b[d++];if(c!==c)while(void 0!==b[d])a[e++]=b[d++];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,e,g=0,h=[];if(s(a))for(d=a.length;d>g;g++)e=b(a[g],g,c),null!=e&&h.push(e);else for(g in a)e=b(a[g],g,c),null!=e&&h.push(e);return f.apply([],h)},guid:1,proxy:function(a,b){var c,d,f;return"string"==typeof b&&(f=a[b],b=a,a=f),n.isFunction(a)?(c=e.call(arguments,2),d=function(){return a.apply(b||this,c.concat(e.call(arguments)))},d.guid=a.guid=a.guid||n.guid++,d):void 0},now:function(){return+new Date},support:l}),"function"==typeof Symbol&&(n.fn[Symbol.iterator]=c[Symbol.iterator]),n.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(a,b){i["[object "+b+"]"]=b.toLowerCase()});function s(a){var b=!!a&&"length"in a&&a.length,c=n.type(a);return"function"===c||n.isWindow(a)?!1:"array"===c||0===b||"number"==typeof b&&b>0&&b-1 in a}var t=function(a){var b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u="sizzle"+1*new Date,v=a.document,w=0,x=0,y=ga(),z=ga(),A=ga(),B=function(a,b){return a===b&&(l=!0),0},C=1<<31,D={}.hasOwnProperty,E=[],F=E.pop,G=E.push,H=E.push,I=E.slice,J=function(a,b){for(var c=0,d=a.length;d>c;c++)if(a[c]===b)return c;return-1},K="checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",L="[\\x20\\t\\r\\n\\f]",M="(?:\\\\.|[\\w-]|[^\\x00-\\xa0])+",N="\\["+L+"*("+M+")(?:"+L+"*([*^$|!~]?=)"+L+"*(?:'((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\"|("+M+"))|)"+L+"*\\]",O=":("+M+")(?:\\((('((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\")|((?:\\\\.|[^\\\\()[\\]]|"+N+")*)|.*)\\)|)",P=new RegExp(L+"+","g"),Q=new RegExp("^"+L+"+|((?:^|[^\\\\])(?:\\\\.)*)"+L+"+$","g"),R=new RegExp("^"+L+"*,"+L+"*"),S=new RegExp("^"+L+"*([>+~]|"+L+")"+L+"*"),T=new RegExp("="+L+"*([^\\]'\"]*?)"+L+"*\\]","g"),U=new RegExp(O),V=new RegExp("^"+M+"$"),W={ID:new RegExp("^#("+M+")"),CLASS:new RegExp("^\\.("+M+")"),TAG:new RegExp("^("+M+"|[*])"),ATTR:new RegExp("^"+N),PSEUDO:new RegExp("^"+O),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+L+"*(even|odd|(([+-]|)(\\d*)n|)"+L+"*(?:([+-]|)"+L+"*(\\d+)|))"+L+"*\\)|)","i"),bool:new RegExp("^(?:"+K+")$","i"),needsContext:new RegExp("^"+L+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+L+"*((?:-\\d)?\\d*)"+L+"*\\)|)(?=[^-]|$)","i")},X=/^(?:input|select|textarea|button)$/i,Y=/^h\d$/i,Z=/^[^{]+\{\s*\[native \w/,$=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,_=/[+~]/,aa=/'|\\/g,ba=new RegExp("\\\\([\\da-f]{1,6}"+L+"?|("+L+")|.)","ig"),ca=function(a,b,c){var d="0x"+b-65536;return d!==d||c?b:0>d?String.fromCharCode(d+65536):String.fromCharCode(d>>10|55296,1023&d|56320)},da=function(){m()};try{H.apply(E=I.call(v.childNodes),v.childNodes),E[v.childNodes.length].nodeType}catch(ea){H={apply:E.length?function(a,b){G.apply(a,I.call(b))}:function(a,b){var c=a.length,d=0;while(a[c++]=b[d++]);a.length=c-1}}}function fa(a,b,d,e){var f,h,j,k,l,o,r,s,w=b&&b.ownerDocument,x=b?b.nodeType:9;if(d=d||[],"string"!=typeof a||!a||1!==x&&9!==x&&11!==x)return d;if(!e&&((b?b.ownerDocument||b:v)!==n&&m(b),b=b||n,p)){if(11!==x&&(o=$.exec(a)))if(f=o[1]){if(9===x){if(!(j=b.getElementById(f)))return d;if(j.id===f)return d.push(j),d}else if(w&&(j=w.getElementById(f))&&t(b,j)&&j.id===f)return d.push(j),d}else{if(o[2])return H.apply(d,b.getElementsByTagName(a)),d;if((f=o[3])&&c.getElementsByClassName&&b.getElementsByClassName)return H.apply(d,b.getElementsByClassName(f)),d}if(c.qsa&&!A[a+" "]&&(!q||!q.test(a))){if(1!==x)w=b,s=a;else if("object"!==b.nodeName.toLowerCase()){(k=b.getAttribute("id"))?k=k.replace(aa,"\\$&"):b.setAttribute("id",k=u),r=g(a),h=r.length,l=V.test(k)?"#"+k:"[id='"+k+"']";while(h--)r[h]=l+" "+qa(r[h]);s=r.join(","),w=_.test(a)&&oa(b.parentNode)||b}if(s)try{return H.apply(d,w.querySelectorAll(s)),d}catch(y){}finally{k===u&&b.removeAttribute("id")}}}return i(a.replace(Q,"$1"),b,d,e)}function ga(){var a=[];function b(c,e){return a.push(c+" ")>d.cacheLength&&delete b[a.shift()],b[c+" "]=e}return b}function ha(a){return a[u]=!0,a}function ia(a){var b=n.createElement("div");try{return!!a(b)}catch(c){return!1}finally{b.parentNode&&b.parentNode.removeChild(b),b=null}}function ja(a,b){var c=a.split("|"),e=c.length;while(e--)d.attrHandle[c[e]]=b}function ka(a,b){var c=b&&a,d=c&&1===a.nodeType&&1===b.nodeType&&(~b.sourceIndex||C)-(~a.sourceIndex||C);if(d)return d;if(c)while(c=c.nextSibling)if(c===b)return-1;return a?1:-1}function la(a){return function(b){var c=b.nodeName.toLowerCase();return"input"===c&&b.type===a}}function ma(a){return function(b){var c=b.nodeName.toLowerCase();return("input"===c||"button"===c)&&b.type===a}}function na(a){return ha(function(b){return b=+b,ha(function(c,d){var e,f=a([],c.length,b),g=f.length;while(g--)c[e=f[g]]&&(c[e]=!(d[e]=c[e]))})})}function oa(a){return a&&"undefined"!=typeof a.getElementsByTagName&&a}c=fa.support={},f=fa.isXML=function(a){var b=a&&(a.ownerDocument||a).documentElement;return b?"HTML"!==b.nodeName:!1},m=fa.setDocument=function(a){var b,e,g=a?a.ownerDocument||a:v;return g!==n&&9===g.nodeType&&g.documentElement?(n=g,o=n.documentElement,p=!f(n),(e=n.defaultView)&&e.top!==e&&(e.addEventListener?e.addEventListener("unload",da,!1):e.attachEvent&&e.attachEvent("onunload",da)),c.attributes=ia(function(a){return a.className="i",!a.getAttribute("className")}),c.getElementsByTagName=ia(function(a){return a.appendChild(n.createComment("")),!a.getElementsByTagName("*").length}),c.getElementsByClassName=Z.test(n.getElementsByClassName),c.getById=ia(function(a){return o.appendChild(a).id=u,!n.getElementsByName||!n.getElementsByName(u).length}),c.getById?(d.find.ID=function(a,b){if("undefined"!=typeof b.getElementById&&p){var c=b.getElementById(a);return c?[c]:[]}},d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){return a.getAttribute("id")===b}}):(delete d.find.ID,d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){var c="undefined"!=typeof a.getAttributeNode&&a.getAttributeNode("id");return c&&c.value===b}}),d.find.TAG=c.getElementsByTagName?function(a,b){return"undefined"!=typeof b.getElementsByTagName?b.getElementsByTagName(a):c.qsa?b.querySelectorAll(a):void 0}:function(a,b){var c,d=[],e=0,f=b.getElementsByTagName(a);if("*"===a){while(c=f[e++])1===c.nodeType&&d.push(c);return d}return f},d.find.CLASS=c.getElementsByClassName&&function(a,b){return"undefined"!=typeof b.getElementsByClassName&&p?b.getElementsByClassName(a):void 0},r=[],q=[],(c.qsa=Z.test(n.querySelectorAll))&&(ia(function(a){o.appendChild(a).innerHTML="<a id='"+u+"'></a><select id='"+u+"-\r\\' msallowcapture=''><option selected=''></option></select>",a.querySelectorAll("[msallowcapture^='']").length&&q.push("[*^$]="+L+"*(?:''|\"\")"),a.querySelectorAll("[selected]").length||q.push("\\["+L+"*(?:value|"+K+")"),a.querySelectorAll("[id~="+u+"-]").length||q.push("~="),a.querySelectorAll(":checked").length||q.push(":checked"),a.querySelectorAll("a#"+u+"+*").length||q.push(".#.+[+~]")}),ia(function(a){var b=n.createElement("input");b.setAttribute("type","hidden"),a.appendChild(b).setAttribute("name","D"),a.querySelectorAll("[name=d]").length&&q.push("name"+L+"*[*^$|!~]?="),a.querySelectorAll(":enabled").length||q.push(":enabled",":disabled"),a.querySelectorAll("*,:x"),q.push(",.*:")})),(c.matchesSelector=Z.test(s=o.matches||o.webkitMatchesSelector||o.mozMatchesSelector||o.oMatchesSelector||o.msMatchesSelector))&&ia(function(a){c.disconnectedMatch=s.call(a,"div"),s.call(a,"[s!='']:x"),r.push("!=",O)}),q=q.length&&new RegExp(q.join("|")),r=r.length&&new RegExp(r.join("|")),b=Z.test(o.compareDocumentPosition),t=b||Z.test(o.contains)?function(a,b){var c=9===a.nodeType?a.documentElement:a,d=b&&b.parentNode;return a===d||!(!d||1!==d.nodeType||!(c.contains?c.contains(d):a.compareDocumentPosition&&16&a.compareDocumentPosition(d)))}:function(a,b){if(b)while(b=b.parentNode)if(b===a)return!0;return!1},B=b?function(a,b){if(a===b)return l=!0,0;var d=!a.compareDocumentPosition-!b.compareDocumentPosition;return d?d:(d=(a.ownerDocument||a)===(b.ownerDocument||b)?a.compareDocumentPosition(b):1,1&d||!c.sortDetached&&b.compareDocumentPosition(a)===d?a===n||a.ownerDocument===v&&t(v,a)?-1:b===n||b.ownerDocument===v&&t(v,b)?1:k?J(k,a)-J(k,b):0:4&d?-1:1)}:function(a,b){if(a===b)return l=!0,0;var c,d=0,e=a.parentNode,f=b.parentNode,g=[a],h=[b];if(!e||!f)return a===n?-1:b===n?1:e?-1:f?1:k?J(k,a)-J(k,b):0;if(e===f)return ka(a,b);c=a;while(c=c.parentNode)g.unshift(c);c=b;while(c=c.parentNode)h.unshift(c);while(g[d]===h[d])d++;return d?ka(g[d],h[d]):g[d]===v?-1:h[d]===v?1:0},n):n},fa.matches=function(a,b){return fa(a,null,null,b)},fa.matchesSelector=function(a,b){if((a.ownerDocument||a)!==n&&m(a),b=b.replace(T,"='$1']"),c.matchesSelector&&p&&!A[b+" "]&&(!r||!r.test(b))&&(!q||!q.test(b)))try{var d=s.call(a,b);if(d||c.disconnectedMatch||a.document&&11!==a.document.nodeType)return d}catch(e){}return fa(b,n,null,[a]).length>0},fa.contains=function(a,b){return(a.ownerDocument||a)!==n&&m(a),t(a,b)},fa.attr=function(a,b){(a.ownerDocument||a)!==n&&m(a);var e=d.attrHandle[b.toLowerCase()],f=e&&D.call(d.attrHandle,b.toLowerCase())?e(a,b,!p):void 0;return void 0!==f?f:c.attributes||!p?a.getAttribute(b):(f=a.getAttributeNode(b))&&f.specified?f.value:null},fa.error=function(a){throw new Error("Syntax error, unrecognized expression: "+a)},fa.uniqueSort=function(a){var b,d=[],e=0,f=0;if(l=!c.detectDuplicates,k=!c.sortStable&&a.slice(0),a.sort(B),l){while(b=a[f++])b===a[f]&&(e=d.push(f));while(e--)a.splice(d[e],1)}return k=null,a},e=fa.getText=function(a){var b,c="",d=0,f=a.nodeType;if(f){if(1===f||9===f||11===f){if("string"==typeof a.textContent)return a.textContent;for(a=a.firstChild;a;a=a.nextSibling)c+=e(a)}else if(3===f||4===f)return a.nodeValue}else while(b=a[d++])c+=e(b);return c},d=fa.selectors={cacheLength:50,createPseudo:ha,match:W,attrHandle:{},find:{},relative:{">":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(a){return a[1]=a[1].replace(ba,ca),a[3]=(a[3]||a[4]||a[5]||"").replace(ba,ca),"~="===a[2]&&(a[3]=" "+a[3]+" "),a.slice(0,4)},CHILD:function(a){return a[1]=a[1].toLowerCase(),"nth"===a[1].slice(0,3)?(a[3]||fa.error(a[0]),a[4]=+(a[4]?a[5]+(a[6]||1):2*("even"===a[3]||"odd"===a[3])),a[5]=+(a[7]+a[8]||"odd"===a[3])):a[3]&&fa.error(a[0]),a},PSEUDO:function(a){var b,c=!a[6]&&a[2];return W.CHILD.test(a[0])?null:(a[3]?a[2]=a[4]||a[5]||"":c&&U.test(c)&&(b=g(c,!0))&&(b=c.indexOf(")",c.length-b)-c.length)&&(a[0]=a[0].slice(0,b),a[2]=c.slice(0,b)),a.slice(0,3))}},filter:{TAG:function(a){var b=a.replace(ba,ca).toLowerCase();return"*"===a?function(){return!0}:function(a){return a.nodeName&&a.nodeName.toLowerCase()===b}},CLASS:function(a){var b=y[a+" "];return b||(b=new RegExp("(^|"+L+")"+a+"("+L+"|$)"))&&y(a,function(a){return b.test("string"==typeof a.className&&a.className||"undefined"!=typeof a.getAttribute&&a.getAttribute("class")||"")})},ATTR:function(a,b,c){return function(d){var e=fa.attr(d,a);return null==e?"!="===b:b?(e+="","="===b?e===c:"!="===b?e!==c:"^="===b?c&&0===e.indexOf(c):"*="===b?c&&e.indexOf(c)>-1:"$="===b?c&&e.slice(-c.length)===c:"~="===b?(" "+e.replace(P," ")+" ").indexOf(c)>-1:"|="===b?e===c||e.slice(0,c.length+1)===c+"-":!1):!0}},CHILD:function(a,b,c,d,e){var f="nth"!==a.slice(0,3),g="last"!==a.slice(-4),h="of-type"===b;return 1===d&&0===e?function(a){return!!a.parentNode}:function(b,c,i){var j,k,l,m,n,o,p=f!==g?"nextSibling":"previousSibling",q=b.parentNode,r=h&&b.nodeName.toLowerCase(),s=!i&&!h,t=!1;if(q){if(f){while(p){m=b;while(m=m[p])if(h?m.nodeName.toLowerCase()===r:1===m.nodeType)return!1;o=p="only"===a&&!o&&"nextSibling"}return!0}if(o=[g?q.firstChild:q.lastChild],g&&s){m=q,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n&&j[2],m=n&&q.childNodes[n];while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if(1===m.nodeType&&++t&&m===b){k[a]=[w,n,t];break}}else if(s&&(m=b,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n),t===!1)while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if((h?m.nodeName.toLowerCase()===r:1===m.nodeType)&&++t&&(s&&(l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),k[a]=[w,t]),m===b))break;return t-=e,t===d||t%d===0&&t/d>=0}}},PSEUDO:function(a,b){var c,e=d.pseudos[a]||d.setFilters[a.toLowerCase()]||fa.error("unsupported pseudo: "+a);return e[u]?e(b):e.length>1?(c=[a,a,"",b],d.setFilters.hasOwnProperty(a.toLowerCase())?ha(function(a,c){var d,f=e(a,b),g=f.length;while(g--)d=J(a,f[g]),a[d]=!(c[d]=f[g])}):function(a){return e(a,0,c)}):e}},pseudos:{not:ha(function(a){var b=[],c=[],d=h(a.replace(Q,"$1"));return d[u]?ha(function(a,b,c,e){var f,g=d(a,null,e,[]),h=a.length;while(h--)(f=g[h])&&(a[h]=!(b[h]=f))}):function(a,e,f){return b[0]=a,d(b,null,f,c),b[0]=null,!c.pop()}}),has:ha(function(a){return function(b){return fa(a,b).length>0}}),contains:ha(function(a){return a=a.replace(ba,ca),function(b){return(b.textContent||b.innerText||e(b)).indexOf(a)>-1}}),lang:ha(function(a){return V.test(a||"")||fa.error("unsupported lang: "+a),a=a.replace(ba,ca).toLowerCase(),function(b){var c;do if(c=p?b.lang:b.getAttribute("xml:lang")||b.getAttribute("lang"))return c=c.toLowerCase(),c===a||0===c.indexOf(a+"-");while((b=b.parentNode)&&1===b.nodeType);return!1}}),target:function(b){var c=a.location&&a.location.hash;return c&&c.slice(1)===b.id},root:function(a){return a===o},focus:function(a){return a===n.activeElement&&(!n.hasFocus||n.hasFocus())&&!!(a.type||a.href||~a.tabIndex)},enabled:function(a){return a.disabled===!1},disabled:function(a){return a.disabled===!0},checked:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&!!a.checked||"option"===b&&!!a.selected},selected:function(a){return a.parentNode&&a.parentNode.selectedIndex,a.selected===!0},empty:function(a){for(a=a.firstChild;a;a=a.nextSibling)if(a.nodeType<6)return!1;return!0},parent:function(a){return!d.pseudos.empty(a)},header:function(a){return Y.test(a.nodeName)},input:function(a){return X.test(a.nodeName)},button:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&"button"===a.type||"button"===b},text:function(a){var b;return"input"===a.nodeName.toLowerCase()&&"text"===a.type&&(null==(b=a.getAttribute("type"))||"text"===b.toLowerCase())},first:na(function(){return[0]}),last:na(function(a,b){return[b-1]}),eq:na(function(a,b,c){return[0>c?c+b:c]}),even:na(function(a,b){for(var c=0;b>c;c+=2)a.push(c);return a}),odd:na(function(a,b){for(var c=1;b>c;c+=2)a.push(c);return a}),lt:na(function(a,b,c){for(var d=0>c?c+b:c;--d>=0;)a.push(d);return a}),gt:na(function(a,b,c){for(var d=0>c?c+b:c;++d<b;)a.push(d);return a})}},d.pseudos.nth=d.pseudos.eq;for(b in{radio:!0,checkbox:!0,file:!0,password:!0,image:!0})d.pseudos[b]=la(b);for(b in{submit:!0,reset:!0})d.pseudos[b]=ma(b);function pa(){}pa.prototype=d.filters=d.pseudos,d.setFilters=new pa,g=fa.tokenize=function(a,b){var c,e,f,g,h,i,j,k=z[a+" "];if(k)return b?0:k.slice(0);h=a,i=[],j=d.preFilter;while(h){c&&!(e=R.exec(h))||(e&&(h=h.slice(e[0].length)||h),i.push(f=[])),c=!1,(e=S.exec(h))&&(c=e.shift(),f.push({value:c,type:e[0].replace(Q," ")}),h=h.slice(c.length));for(g in d.filter)!(e=W[g].exec(h))||j[g]&&!(e=j[g](e))||(c=e.shift(),f.push({value:c,type:g,matches:e}),h=h.slice(c.length));if(!c)break}return b?h.length:h?fa.error(a):z(a,i).slice(0)};function qa(a){for(var b=0,c=a.length,d="";c>b;b++)d+=a[b].value;return d}function ra(a,b,c){var d=b.dir,e=c&&"parentNode"===d,f=x++;return b.first?function(b,c,f){while(b=b[d])if(1===b.nodeType||e)return a(b,c,f)}:function(b,c,g){var h,i,j,k=[w,f];if(g){while(b=b[d])if((1===b.nodeType||e)&&a(b,c,g))return!0}else while(b=b[d])if(1===b.nodeType||e){if(j=b[u]||(b[u]={}),i=j[b.uniqueID]||(j[b.uniqueID]={}),(h=i[d])&&h[0]===w&&h[1]===f)return k[2]=h[2];if(i[d]=k,k[2]=a(b,c,g))return!0}}}function sa(a){return a.length>1?function(b,c,d){var e=a.length;while(e--)if(!a[e](b,c,d))return!1;return!0}:a[0]}function ta(a,b,c){for(var d=0,e=b.length;e>d;d++)fa(a,b[d],c);return c}function ua(a,b,c,d,e){for(var f,g=[],h=0,i=a.length,j=null!=b;i>h;h++)(f=a[h])&&(c&&!c(f,d,e)||(g.push(f),j&&b.push(h)));return g}function va(a,b,c,d,e,f){return d&&!d[u]&&(d=va(d)),e&&!e[u]&&(e=va(e,f)),ha(function(f,g,h,i){var j,k,l,m=[],n=[],o=g.length,p=f||ta(b||"*",h.nodeType?[h]:h,[]),q=!a||!f&&b?p:ua(p,m,a,h,i),r=c?e||(f?a:o||d)?[]:g:q;if(c&&c(q,r,h,i),d){j=ua(r,n),d(j,[],h,i),k=j.length;while(k--)(l=j[k])&&(r[n[k]]=!(q[n[k]]=l))}if(f){if(e||a){if(e){j=[],k=r.length;while(k--)(l=r[k])&&j.push(q[k]=l);e(null,r=[],j,i)}k=r.length;while(k--)(l=r[k])&&(j=e?J(f,l):m[k])>-1&&(f[j]=!(g[j]=l))}}else r=ua(r===g?r.splice(o,r.length):r),e?e(null,g,r,i):H.apply(g,r)})}function wa(a){for(var b,c,e,f=a.length,g=d.relative[a[0].type],h=g||d.relative[" "],i=g?1:0,k=ra(function(a){return a===b},h,!0),l=ra(function(a){return J(b,a)>-1},h,!0),m=[function(a,c,d){var e=!g&&(d||c!==j)||((b=c).nodeType?k(a,c,d):l(a,c,d));return b=null,e}];f>i;i++)if(c=d.relative[a[i].type])m=[ra(sa(m),c)];else{if(c=d.filter[a[i].type].apply(null,a[i].matches),c[u]){for(e=++i;f>e;e++)if(d.relative[a[e].type])break;return va(i>1&&sa(m),i>1&&qa(a.slice(0,i-1).concat({value:" "===a[i-2].type?"*":""})).replace(Q,"$1"),c,e>i&&wa(a.slice(i,e)),f>e&&wa(a=a.slice(e)),f>e&&qa(a))}m.push(c)}return sa(m)}function xa(a,b){var c=b.length>0,e=a.length>0,f=function(f,g,h,i,k){var l,o,q,r=0,s="0",t=f&&[],u=[],v=j,x=f||e&&d.find.TAG("*",k),y=w+=null==v?1:Math.random()||.1,z=x.length;for(k&&(j=g===n||g||k);s!==z&&null!=(l=x[s]);s++){if(e&&l){o=0,g||l.ownerDocument===n||(m(l),h=!p);while(q=a[o++])if(q(l,g||n,h)){i.push(l);break}k&&(w=y)}c&&((l=!q&&l)&&r--,f&&t.push(l))}if(r+=s,c&&s!==r){o=0;while(q=b[o++])q(t,u,g,h);if(f){if(r>0)while(s--)t[s]||u[s]||(u[s]=F.call(i));u=ua(u)}H.apply(i,u),k&&!f&&u.length>0&&r+b.length>1&&fa.uniqueSort(i)}return k&&(w=y,j=v),t};return c?ha(f):f}return h=fa.compile=function(a,b){var c,d=[],e=[],f=A[a+" "];if(!f){b||(b=g(a)),c=b.length;while(c--)f=wa(b[c]),f[u]?d.push(f):e.push(f);f=A(a,xa(e,d)),f.selector=a}return f},i=fa.select=function(a,b,e,f){var i,j,k,l,m,n="function"==typeof a&&a,o=!f&&g(a=n.selector||a);if(e=e||[],1===o.length){if(j=o[0]=o[0].slice(0),j.length>2&&"ID"===(k=j[0]).type&&c.getById&&9===b.nodeType&&p&&d.relative[j[1].type]){if(b=(d.find.ID(k.matches[0].replace(ba,ca),b)||[])[0],!b)return e;n&&(b=b.parentNode),a=a.slice(j.shift().value.length)}i=W.needsContext.test(a)?0:j.length;while(i--){if(k=j[i],d.relative[l=k.type])break;if((m=d.find[l])&&(f=m(k.matches[0].replace(ba,ca),_.test(j[0].type)&&oa(b.parentNode)||b))){if(j.splice(i,1),a=f.length&&qa(j),!a)return H.apply(e,f),e;break}}}return(n||h(a,o))(f,b,!p,e,!b||_.test(a)&&oa(b.parentNode)||b),e},c.sortStable=u.split("").sort(B).join("")===u,c.detectDuplicates=!!l,m(),c.sortDetached=ia(function(a){return 1&a.compareDocumentPosition(n.createElement("div"))}),ia(function(a){return a.innerHTML="<a href='#'></a>","#"===a.firstChild.getAttribute("href")})||ja("type|href|height|width",function(a,b,c){return c?void 0:a.getAttribute(b,"type"===b.toLowerCase()?1:2)}),c.attributes&&ia(function(a){return a.innerHTML="<input/>",a.firstChild.setAttribute("value",""),""===a.firstChild.getAttribute("value")})||ja("value",function(a,b,c){return c||"input"!==a.nodeName.toLowerCase()?void 0:a.defaultValue}),ia(function(a){return null==a.getAttribute("disabled")})||ja(K,function(a,b,c){var d;return c?void 0:a[b]===!0?b.toLowerCase():(d=a.getAttributeNode(b))&&d.specified?d.value:null}),fa}(a);n.find=t,n.expr=t.selectors,n.expr[":"]=n.expr.pseudos,n.uniqueSort=n.unique=t.uniqueSort,n.text=t.getText,n.isXMLDoc=t.isXML,n.contains=t.contains;var u=function(a,b,c){var d=[],e=void 0!==c;while((a=a[b])&&9!==a.nodeType)if(1===a.nodeType){if(e&&n(a).is(c))break;d.push(a)}return d},v=function(a,b){for(var c=[];a;a=a.nextSibling)1===a.nodeType&&a!==b&&c.push(a);return c},w=n.expr.match.needsContext,x=/^<([\w-]+)\s*\/?>(?:<\/\1>|)$/,y=/^.[^:#\[\.,]*$/;function z(a,b,c){if(n.isFunction(b))return n.grep(a,function(a,d){return!!b.call(a,d,a)!==c});if(b.nodeType)return n.grep(a,function(a){return a===b!==c});if("string"==typeof b){if(y.test(b))return n.filter(b,a,c);b=n.filter(b,a)}return n.grep(a,function(a){return n.inArray(a,b)>-1!==c})}n.filter=function(a,b,c){var d=b[0];return c&&(a=":not("+a+")"),1===b.length&&1===d.nodeType?n.find.matchesSelector(d,a)?[d]:[]:n.find.matches(a,n.grep(b,function(a){return 1===a.nodeType}))},n.fn.extend({find:function(a){var b,c=[],d=this,e=d.length;if("string"!=typeof a)return this.pushStack(n(a).filter(function(){for(b=0;e>b;b++)if(n.contains(d[b],this))return!0}));for(b=0;e>b;b++)n.find(a,d[b],c);return c=this.pushStack(e>1?n.unique(c):c),c.selector=this.selector?this.selector+" "+a:a,c},filter:function(a){return this.pushStack(z(this,a||[],!1))},not:function(a){return this.pushStack(z(this,a||[],!0))},is:function(a){return!!z(this,"string"==typeof a&&w.test(a)?n(a):a||[],!1).length}});var A,B=/^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]*))$/,C=n.fn.init=function(a,b,c){var e,f;if(!a)return this;if(c=c||A,"string"==typeof a){if(e="<"===a.charAt(0)&&">"===a.charAt(a.length-1)&&a.length>=3?[null,a,null]:B.exec(a),!e||!e[1]&&b)return!b||b.jquery?(b||c).find(a):this.constructor(b).find(a);if(e[1]){if(b=b instanceof n?b[0]:b,n.merge(this,n.parseHTML(e[1],b&&b.nodeType?b.ownerDocument||b:d,!0)),x.test(e[1])&&n.isPlainObject(b))for(e in b)n.isFunction(this[e])?this[e](b[e]):this.attr(e,b[e]);return this}if(f=d.getElementById(e[2]),f&&f.parentNode){if(f.id!==e[2])return A.find(a);this.length=1,this[0]=f}return this.context=d,this.selector=a,this}return a.nodeType?(this.context=this[0]=a,this.length=1,this):n.isFunction(a)?"undefined"!=typeof c.ready?c.ready(a):a(n):(void 0!==a.selector&&(this.selector=a.selector,this.context=a.context),n.makeArray(a,this))};C.prototype=n.fn,A=n(d);var D=/^(?:parents|prev(?:Until|All))/,E={children:!0,contents:!0,next:!0,prev:!0};n.fn.extend({has:function(a){var b,c=n(a,this),d=c.length;return this.filter(function(){for(b=0;d>b;b++)if(n.contains(this,c[b]))return!0})},closest:function(a,b){for(var c,d=0,e=this.length,f=[],g=w.test(a)||"string"!=typeof a?n(a,b||this.context):0;e>d;d++)for(c=this[d];c&&c!==b;c=c.parentNode)if(c.nodeType<11&&(g?g.index(c)>-1:1===c.nodeType&&n.find.matchesSelector(c,a))){f.push(c);break}return this.pushStack(f.length>1?n.uniqueSort(f):f)},index:function(a){return a?"string"==typeof a?n.inArray(this[0],n(a)):n.inArray(a.jquery?a[0]:a,this):this[0]&&this[0].parentNode?this.first().prevAll().length:-1},add:function(a,b){return this.pushStack(n.uniqueSort(n.merge(this.get(),n(a,b))))},addBack:function(a){return this.add(null==a?this.prevObject:this.prevObject.filter(a))}});function F(a,b){do a=a[b];while(a&&1!==a.nodeType);return a}n.each({parent:function(a){var b=a.parentNode;return b&&11!==b.nodeType?b:null},parents:function(a){return u(a,"parentNode")},parentsUntil:function(a,b,c){return u(a,"parentNode",c)},next:function(a){return F(a,"nextSibling")},prev:function(a){return F(a,"previousSibling")},nextAll:function(a){return u(a,"nextSibling")},prevAll:function(a){return u(a,"previousSibling")},nextUntil:function(a,b,c){return u(a,"nextSibling",c)},prevUntil:function(a,b,c){return u(a,"previousSibling",c)},siblings:function(a){return v((a.parentNode||{}).firstChild,a)},children:function(a){return v(a.firstChild)},contents:function(a){return n.nodeName(a,"iframe")?a.contentDocument||a.contentWindow.document:n.merge([],a.childNodes)}},function(a,b){n.fn[a]=function(c,d){var e=n.map(this,b,c);return"Until"!==a.slice(-5)&&(d=c),d&&"string"==typeof d&&(e=n.filter(d,e)),this.length>1&&(E[a]||(e=n.uniqueSort(e)),D.test(a)&&(e=e.reverse())),this.pushStack(e)}});var G=/\S+/g;function H(a){var b={};return n.each(a.match(G)||[],function(a,c){b[c]=!0}),b}n.Callbacks=function(a){a="string"==typeof a?H(a):n.extend({},a);var b,c,d,e,f=[],g=[],h=-1,i=function(){for(e=a.once,d=b=!0;g.length;h=-1){c=g.shift();while(++h<f.length)f[h].apply(c[0],c[1])===!1&&a.stopOnFalse&&(h=f.length,c=!1)}a.memory||(c=!1),b=!1,e&&(f=c?[]:"")},j={add:function(){return f&&(c&&!b&&(h=f.length-1,g.push(c)),function d(b){n.each(b,function(b,c){n.isFunction(c)?a.unique&&j.has(c)||f.push(c):c&&c.length&&"string"!==n.type(c)&&d(c)})}(arguments),c&&!b&&i()),this},remove:function(){return n.each(arguments,function(a,b){var c;while((c=n.inArray(b,f,c))>-1)f.splice(c,1),h>=c&&h--}),this},has:function(a){return a?n.inArray(a,f)>-1:f.length>0},empty:function(){return f&&(f=[]),this},disable:function(){return e=g=[],f=c="",this},disabled:function(){return!f},lock:function(){return e=!0,c||j.disable(),this},locked:function(){return!!e},fireWith:function(a,c){return e||(c=c||[],c=[a,c.slice?c.slice():c],g.push(c),b||i()),this},fire:function(){return j.fireWith(this,arguments),this},fired:function(){return!!d}};return j},n.extend({Deferred:function(a){var b=[["resolve","done",n.Callbacks("once memory"),"resolved"],["reject","fail",n.Callbacks("once memory"),"rejected"],["notify","progress",n.Callbacks("memory")]],c="pending",d={state:function(){return c},always:function(){return e.done(arguments).fail(arguments),this},then:function(){var a=arguments;return n.Deferred(function(c){n.each(b,function(b,f){var g=n.isFunction(a[b])&&a[b];e[f[1]](function(){var a=g&&g.apply(this,arguments);a&&n.isFunction(a.promise)?a.promise().progress(c.notify).done(c.resolve).fail(c.reject):c[f[0]+"With"](this===d?c.promise():this,g?[a]:arguments)})}),a=null}).promise()},promise:function(a){return null!=a?n.extend(a,d):d}},e={};return d.pipe=d.then,n.each(b,function(a,f){var g=f[2],h=f[3];d[f[1]]=g.add,h&&g.add(function(){c=h},b[1^a][2].disable,b[2][2].lock),e[f[0]]=function(){return e[f[0]+"With"](this===e?d:this,arguments),this},e[f[0]+"With"]=g.fireWith}),d.promise(e),a&&a.call(e,e),e},when:function(a){var b=0,c=e.call(arguments),d=c.length,f=1!==d||a&&n.isFunction(a.promise)?d:0,g=1===f?a:n.Deferred(),h=function(a,b,c){return function(d){b[a]=this,c[a]=arguments.length>1?e.call(arguments):d,c===i?g.notifyWith(b,c):--f||g.resolveWith(b,c)}},i,j,k;if(d>1)for(i=new Array(d),j=new Array(d),k=new Array(d);d>b;b++)c[b]&&n.isFunction(c[b].promise)?c[b].promise().progress(h(b,j,i)).done(h(b,k,c)).fail(g.reject):--f;return f||g.resolveWith(k,c),g.promise()}});var I;n.fn.ready=function(a){return n.ready.promise().done(a),this},n.extend({isReady:!1,readyWait:1,holdReady:function(a){a?n.readyWait++:n.ready(!0)},ready:function(a){(a===!0?--n.readyWait:n.isReady)||(n.isReady=!0,a!==!0&&--n.readyWait>0||(I.resolveWith(d,[n]),n.fn.triggerHandler&&(n(d).triggerHandler("ready"),n(d).off("ready"))))}});function J(){d.addEventListener?(d.removeEventListener("DOMContentLoaded",K),a.removeEventListener("load",K)):(d.detachEvent("onreadystatechange",K),a.detachEvent("onload",K))}function K(){(d.addEventListener||"load"===a.event.type||"complete"===d.readyState)&&(J(),n.ready())}n.ready.promise=function(b){if(!I)if(I=n.Deferred(),"complete"===d.readyState||"loading"!==d.readyState&&!d.documentElement.doScroll)a.setTimeout(n.ready);else if(d.addEventListener)d.addEventListener("DOMContentLoaded",K),a.addEventListener("load",K);else{d.attachEvent("onreadystatechange",K),a.attachEvent("onload",K);var c=!1;try{c=null==a.frameElement&&d.documentElement}catch(e){}c&&c.doScroll&&!function f(){if(!n.isReady){try{c.doScroll("left")}catch(b){return a.setTimeout(f,50)}J(),n.ready()}}()}return I.promise(b)},n.ready.promise();var L;for(L in n(l))break;l.ownFirst="0"===L,l.inlineBlockNeedsLayout=!1,n(function(){var a,b,c,e;c=d.getElementsByTagName("body")[0],c&&c.style&&(b=d.createElement("div"),e=d.createElement("div"),e.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(e).appendChild(b),"undefined"!=typeof b.style.zoom&&(b.style.cssText="display:inline;margin:0;border:0;padding:1px;width:1px;zoom:1",l.inlineBlockNeedsLayout=a=3===b.offsetWidth,a&&(c.style.zoom=1)),c.removeChild(e))}),function(){var a=d.createElement("div");l.deleteExpando=!0;try{delete a.test}catch(b){l.deleteExpando=!1}a=null}();var M=function(a){var b=n.noData[(a.nodeName+" ").toLowerCase()],c=+a.nodeType||1;return 1!==c&&9!==c?!1:!b||b!==!0&&a.getAttribute("classid")===b},N=/^(?:\{[\w\W]*\}|\[[\w\W]*\])$/,O=/([A-Z])/g;function P(a,b,c){if(void 0===c&&1===a.nodeType){var d="data-"+b.replace(O,"-$1").toLowerCase();if(c=a.getAttribute(d),"string"==typeof c){try{c="true"===c?!0:"false"===c?!1:"null"===c?null:+c+""===c?+c:N.test(c)?n.parseJSON(c):c}catch(e){}n.data(a,b,c)}else c=void 0; }return c}function Q(a){var b;for(b in a)if(("data"!==b||!n.isEmptyObject(a[b]))&&"toJSON"!==b)return!1;return!0}function R(a,b,d,e){if(M(a)){var f,g,h=n.expando,i=a.nodeType,j=i?n.cache:a,k=i?a[h]:a[h]&&h;if(k&&j[k]&&(e||j[k].data)||void 0!==d||"string"!=typeof b)return k||(k=i?a[h]=c.pop()||n.guid++:h),j[k]||(j[k]=i?{}:{toJSON:n.noop}),"object"!=typeof b&&"function"!=typeof b||(e?j[k]=n.extend(j[k],b):j[k].data=n.extend(j[k].data,b)),g=j[k],e||(g.data||(g.data={}),g=g.data),void 0!==d&&(g[n.camelCase(b)]=d),"string"==typeof b?(f=g[b],null==f&&(f=g[n.camelCase(b)])):f=g,f}}function S(a,b,c){if(M(a)){var d,e,f=a.nodeType,g=f?n.cache:a,h=f?a[n.expando]:n.expando;if(g[h]){if(b&&(d=c?g[h]:g[h].data)){n.isArray(b)?b=b.concat(n.map(b,n.camelCase)):b in d?b=[b]:(b=n.camelCase(b),b=b in d?[b]:b.split(" ")),e=b.length;while(e--)delete d[b[e]];if(c?!Q(d):!n.isEmptyObject(d))return}(c||(delete g[h].data,Q(g[h])))&&(f?n.cleanData([a],!0):l.deleteExpando||g!=g.window?delete g[h]:g[h]=void 0)}}}n.extend({cache:{},noData:{"applet ":!0,"embed ":!0,"object ":"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"},hasData:function(a){return a=a.nodeType?n.cache[a[n.expando]]:a[n.expando],!!a&&!Q(a)},data:function(a,b,c){return R(a,b,c)},removeData:function(a,b){return S(a,b)},_data:function(a,b,c){return R(a,b,c,!0)},_removeData:function(a,b){return S(a,b,!0)}}),n.fn.extend({data:function(a,b){var c,d,e,f=this[0],g=f&&f.attributes;if(void 0===a){if(this.length&&(e=n.data(f),1===f.nodeType&&!n._data(f,"parsedAttrs"))){c=g.length;while(c--)g[c]&&(d=g[c].name,0===d.indexOf("data-")&&(d=n.camelCase(d.slice(5)),P(f,d,e[d])));n._data(f,"parsedAttrs",!0)}return e}return"object"==typeof a?this.each(function(){n.data(this,a)}):arguments.length>1?this.each(function(){n.data(this,a,b)}):f?P(f,a,n.data(f,a)):void 0},removeData:function(a){return this.each(function(){n.removeData(this,a)})}}),n.extend({queue:function(a,b,c){var d;return a?(b=(b||"fx")+"queue",d=n._data(a,b),c&&(!d||n.isArray(c)?d=n._data(a,b,n.makeArray(c)):d.push(c)),d||[]):void 0},dequeue:function(a,b){b=b||"fx";var c=n.queue(a,b),d=c.length,e=c.shift(),f=n._queueHooks(a,b),g=function(){n.dequeue(a,b)};"inprogress"===e&&(e=c.shift(),d--),e&&("fx"===b&&c.unshift("inprogress"),delete f.stop,e.call(a,g,f)),!d&&f&&f.empty.fire()},_queueHooks:function(a,b){var c=b+"queueHooks";return n._data(a,c)||n._data(a,c,{empty:n.Callbacks("once memory").add(function(){n._removeData(a,b+"queue"),n._removeData(a,c)})})}}),n.fn.extend({queue:function(a,b){var c=2;return"string"!=typeof a&&(b=a,a="fx",c--),arguments.length<c?n.queue(this[0],a):void 0===b?this:this.each(function(){var c=n.queue(this,a,b);n._queueHooks(this,a),"fx"===a&&"inprogress"!==c[0]&&n.dequeue(this,a)})},dequeue:function(a){return this.each(function(){n.dequeue(this,a)})},clearQueue:function(a){return this.queue(a||"fx",[])},promise:function(a,b){var c,d=1,e=n.Deferred(),f=this,g=this.length,h=function(){--d||e.resolveWith(f,[f])};"string"!=typeof a&&(b=a,a=void 0),a=a||"fx";while(g--)c=n._data(f[g],a+"queueHooks"),c&&c.empty&&(d++,c.empty.add(h));return h(),e.promise(b)}}),function(){var a;l.shrinkWrapBlocks=function(){if(null!=a)return a;a=!1;var b,c,e;return c=d.getElementsByTagName("body")[0],c&&c.style?(b=d.createElement("div"),e=d.createElement("div"),e.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(e).appendChild(b),"undefined"!=typeof b.style.zoom&&(b.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:1px;width:1px;zoom:1",b.appendChild(d.createElement("div")).style.width="5px",a=3!==b.offsetWidth),c.removeChild(e),a):void 0}}();var T=/[+-]?(?:\d*\.|)\d+(?:[eE][+-]?\d+|)/.source,U=new RegExp("^(?:([+-])=|)("+T+")([a-z%]*)$","i"),V=["Top","Right","Bottom","Left"],W=function(a,b){return a=b||a,"none"===n.css(a,"display")||!n.contains(a.ownerDocument,a)};function X(a,b,c,d){var e,f=1,g=20,h=d?function(){return d.cur()}:function(){return n.css(a,b,"")},i=h(),j=c&&c[3]||(n.cssNumber[b]?"":"px"),k=(n.cssNumber[b]||"px"!==j&&+i)&&U.exec(n.css(a,b));if(k&&k[3]!==j){j=j||k[3],c=c||[],k=+i||1;do f=f||".5",k/=f,n.style(a,b,k+j);while(f!==(f=h()/i)&&1!==f&&--g)}return c&&(k=+k||+i||0,e=c[1]?k+(c[1]+1)*c[2]:+c[2],d&&(d.unit=j,d.start=k,d.end=e)),e}var Y=function(a,b,c,d,e,f,g){var h=0,i=a.length,j=null==c;if("object"===n.type(c)){e=!0;for(h in c)Y(a,b,h,c[h],!0,f,g)}else if(void 0!==d&&(e=!0,n.isFunction(d)||(g=!0),j&&(g?(b.call(a,d),b=null):(j=b,b=function(a,b,c){return j.call(n(a),c)})),b))for(;i>h;h++)b(a[h],c,g?d:d.call(a[h],h,b(a[h],c)));return e?a:j?b.call(a):i?b(a[0],c):f},Z=/^(?:checkbox|radio)$/i,$=/<([\w:-]+)/,_=/^$|\/(?:java|ecma)script/i,aa=/^\s+/,ba="abbr|article|aside|audio|bdi|canvas|data|datalist|details|dialog|figcaption|figure|footer|header|hgroup|main|mark|meter|nav|output|picture|progress|section|summary|template|time|video";function ca(a){var b=ba.split("|"),c=a.createDocumentFragment();if(c.createElement)while(b.length)c.createElement(b.pop());return c}!function(){var a=d.createElement("div"),b=d.createDocumentFragment(),c=d.createElement("input");a.innerHTML=" <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",l.leadingWhitespace=3===a.firstChild.nodeType,l.tbody=!a.getElementsByTagName("tbody").length,l.htmlSerialize=!!a.getElementsByTagName("link").length,l.html5Clone="<:nav></:nav>"!==d.createElement("nav").cloneNode(!0).outerHTML,c.type="checkbox",c.checked=!0,b.appendChild(c),l.appendChecked=c.checked,a.innerHTML="<textarea>x</textarea>",l.noCloneChecked=!!a.cloneNode(!0).lastChild.defaultValue,b.appendChild(a),c=d.createElement("input"),c.setAttribute("type","radio"),c.setAttribute("checked","checked"),c.setAttribute("name","t"),a.appendChild(c),l.checkClone=a.cloneNode(!0).cloneNode(!0).lastChild.checked,l.noCloneEvent=!!a.addEventListener,a[n.expando]=1,l.attributes=!a.getAttribute(n.expando)}();var da={option:[1,"<select multiple='multiple'>","</select>"],legend:[1,"<fieldset>","</fieldset>"],area:[1,"<map>","</map>"],param:[1,"<object>","</object>"],thead:[1,"<table>","</table>"],tr:[2,"<table><tbody>","</tbody></table>"],col:[2,"<table><tbody></tbody><colgroup>","</colgroup></table>"],td:[3,"<table><tbody><tr>","</tr></tbody></table>"],_default:l.htmlSerialize?[0,"",""]:[1,"X<div>","</div>"]};da.optgroup=da.option,da.tbody=da.tfoot=da.colgroup=da.caption=da.thead,da.th=da.td;function ea(a,b){var c,d,e=0,f="undefined"!=typeof a.getElementsByTagName?a.getElementsByTagName(b||"*"):"undefined"!=typeof a.querySelectorAll?a.querySelectorAll(b||"*"):void 0;if(!f)for(f=[],c=a.childNodes||a;null!=(d=c[e]);e++)!b||n.nodeName(d,b)?f.push(d):n.merge(f,ea(d,b));return void 0===b||b&&n.nodeName(a,b)?n.merge([a],f):f}function fa(a,b){for(var c,d=0;null!=(c=a[d]);d++)n._data(c,"globalEval",!b||n._data(b[d],"globalEval"))}var ga=/<|&#?\w+;/,ha=/<tbody/i;function ia(a){Z.test(a.type)&&(a.defaultChecked=a.checked)}function ja(a,b,c,d,e){for(var f,g,h,i,j,k,m,o=a.length,p=ca(b),q=[],r=0;o>r;r++)if(g=a[r],g||0===g)if("object"===n.type(g))n.merge(q,g.nodeType?[g]:g);else if(ga.test(g)){i=i||p.appendChild(b.createElement("div")),j=($.exec(g)||["",""])[1].toLowerCase(),m=da[j]||da._default,i.innerHTML=m[1]+n.htmlPrefilter(g)+m[2],f=m[0];while(f--)i=i.lastChild;if(!l.leadingWhitespace&&aa.test(g)&&q.push(b.createTextNode(aa.exec(g)[0])),!l.tbody){g="table"!==j||ha.test(g)?"<table>"!==m[1]||ha.test(g)?0:i:i.firstChild,f=g&&g.childNodes.length;while(f--)n.nodeName(k=g.childNodes[f],"tbody")&&!k.childNodes.length&&g.removeChild(k)}n.merge(q,i.childNodes),i.textContent="";while(i.firstChild)i.removeChild(i.firstChild);i=p.lastChild}else q.push(b.createTextNode(g));i&&p.removeChild(i),l.appendChecked||n.grep(ea(q,"input"),ia),r=0;while(g=q[r++])if(d&&n.inArray(g,d)>-1)e&&e.push(g);else if(h=n.contains(g.ownerDocument,g),i=ea(p.appendChild(g),"script"),h&&fa(i),c){f=0;while(g=i[f++])_.test(g.type||"")&&c.push(g)}return i=null,p}!function(){var b,c,e=d.createElement("div");for(b in{submit:!0,change:!0,focusin:!0})c="on"+b,(l[b]=c in a)||(e.setAttribute(c,"t"),l[b]=e.attributes[c].expando===!1);e=null}();var ka=/^(?:input|select|textarea)$/i,la=/^key/,ma=/^(?:mouse|pointer|contextmenu|drag|drop)|click/,na=/^(?:focusinfocus|focusoutblur)$/,oa=/^([^.]*)(?:\.(.+)|)/;function pa(){return!0}function qa(){return!1}function ra(){try{return d.activeElement}catch(a){}}function sa(a,b,c,d,e,f){var g,h;if("object"==typeof b){"string"!=typeof c&&(d=d||c,c=void 0);for(h in b)sa(a,h,c,d,b[h],f);return a}if(null==d&&null==e?(e=c,d=c=void 0):null==e&&("string"==typeof c?(e=d,d=void 0):(e=d,d=c,c=void 0)),e===!1)e=qa;else if(!e)return a;return 1===f&&(g=e,e=function(a){return n().off(a),g.apply(this,arguments)},e.guid=g.guid||(g.guid=n.guid++)),a.each(function(){n.event.add(this,b,e,d,c)})}n.event={global:{},add:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=n._data(a);if(r){c.handler&&(i=c,c=i.handler,e=i.selector),c.guid||(c.guid=n.guid++),(g=r.events)||(g=r.events={}),(k=r.handle)||(k=r.handle=function(a){return"undefined"==typeof n||a&&n.event.triggered===a.type?void 0:n.event.dispatch.apply(k.elem,arguments)},k.elem=a),b=(b||"").match(G)||[""],h=b.length;while(h--)f=oa.exec(b[h])||[],o=q=f[1],p=(f[2]||"").split(".").sort(),o&&(j=n.event.special[o]||{},o=(e?j.delegateType:j.bindType)||o,j=n.event.special[o]||{},l=n.extend({type:o,origType:q,data:d,handler:c,guid:c.guid,selector:e,needsContext:e&&n.expr.match.needsContext.test(e),namespace:p.join(".")},i),(m=g[o])||(m=g[o]=[],m.delegateCount=0,j.setup&&j.setup.call(a,d,p,k)!==!1||(a.addEventListener?a.addEventListener(o,k,!1):a.attachEvent&&a.attachEvent("on"+o,k))),j.add&&(j.add.call(a,l),l.handler.guid||(l.handler.guid=c.guid)),e?m.splice(m.delegateCount++,0,l):m.push(l),n.event.global[o]=!0);a=null}},remove:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=n.hasData(a)&&n._data(a);if(r&&(k=r.events)){b=(b||"").match(G)||[""],j=b.length;while(j--)if(h=oa.exec(b[j])||[],o=q=h[1],p=(h[2]||"").split(".").sort(),o){l=n.event.special[o]||{},o=(d?l.delegateType:l.bindType)||o,m=k[o]||[],h=h[2]&&new RegExp("(^|\\.)"+p.join("\\.(?:.*\\.|)")+"(\\.|$)"),i=f=m.length;while(f--)g=m[f],!e&&q!==g.origType||c&&c.guid!==g.guid||h&&!h.test(g.namespace)||d&&d!==g.selector&&("**"!==d||!g.selector)||(m.splice(f,1),g.selector&&m.delegateCount--,l.remove&&l.remove.call(a,g));i&&!m.length&&(l.teardown&&l.teardown.call(a,p,r.handle)!==!1||n.removeEvent(a,o,r.handle),delete k[o])}else for(o in k)n.event.remove(a,o+b[j],c,d,!0);n.isEmptyObject(k)&&(delete r.handle,n._removeData(a,"events"))}},trigger:function(b,c,e,f){var g,h,i,j,l,m,o,p=[e||d],q=k.call(b,"type")?b.type:b,r=k.call(b,"namespace")?b.namespace.split("."):[];if(i=m=e=e||d,3!==e.nodeType&&8!==e.nodeType&&!na.test(q+n.event.triggered)&&(q.indexOf(".")>-1&&(r=q.split("."),q=r.shift(),r.sort()),h=q.indexOf(":")<0&&"on"+q,b=b[n.expando]?b:new n.Event(q,"object"==typeof b&&b),b.isTrigger=f?2:3,b.namespace=r.join("."),b.rnamespace=b.namespace?new RegExp("(^|\\.)"+r.join("\\.(?:.*\\.|)")+"(\\.|$)"):null,b.result=void 0,b.target||(b.target=e),c=null==c?[b]:n.makeArray(c,[b]),l=n.event.special[q]||{},f||!l.trigger||l.trigger.apply(e,c)!==!1)){if(!f&&!l.noBubble&&!n.isWindow(e)){for(j=l.delegateType||q,na.test(j+q)||(i=i.parentNode);i;i=i.parentNode)p.push(i),m=i;m===(e.ownerDocument||d)&&p.push(m.defaultView||m.parentWindow||a)}o=0;while((i=p[o++])&&!b.isPropagationStopped())b.type=o>1?j:l.bindType||q,g=(n._data(i,"events")||{})[b.type]&&n._data(i,"handle"),g&&g.apply(i,c),g=h&&i[h],g&&g.apply&&M(i)&&(b.result=g.apply(i,c),b.result===!1&&b.preventDefault());if(b.type=q,!f&&!b.isDefaultPrevented()&&(!l._default||l._default.apply(p.pop(),c)===!1)&&M(e)&&h&&e[q]&&!n.isWindow(e)){m=e[h],m&&(e[h]=null),n.event.triggered=q;try{e[q]()}catch(s){}n.event.triggered=void 0,m&&(e[h]=m)}return b.result}},dispatch:function(a){a=n.event.fix(a);var b,c,d,f,g,h=[],i=e.call(arguments),j=(n._data(this,"events")||{})[a.type]||[],k=n.event.special[a.type]||{};if(i[0]=a,a.delegateTarget=this,!k.preDispatch||k.preDispatch.call(this,a)!==!1){h=n.event.handlers.call(this,a,j),b=0;while((f=h[b++])&&!a.isPropagationStopped()){a.currentTarget=f.elem,c=0;while((g=f.handlers[c++])&&!a.isImmediatePropagationStopped())a.rnamespace&&!a.rnamespace.test(g.namespace)||(a.handleObj=g,a.data=g.data,d=((n.event.special[g.origType]||{}).handle||g.handler).apply(f.elem,i),void 0!==d&&(a.result=d)===!1&&(a.preventDefault(),a.stopPropagation()))}return k.postDispatch&&k.postDispatch.call(this,a),a.result}},handlers:function(a,b){var c,d,e,f,g=[],h=b.delegateCount,i=a.target;if(h&&i.nodeType&&("click"!==a.type||isNaN(a.button)||a.button<1))for(;i!=this;i=i.parentNode||this)if(1===i.nodeType&&(i.disabled!==!0||"click"!==a.type)){for(d=[],c=0;h>c;c++)f=b[c],e=f.selector+" ",void 0===d[e]&&(d[e]=f.needsContext?n(e,this).index(i)>-1:n.find(e,this,null,[i]).length),d[e]&&d.push(f);d.length&&g.push({elem:i,handlers:d})}return h<b.length&&g.push({elem:this,handlers:b.slice(h)}),g},fix:function(a){if(a[n.expando])return a;var b,c,e,f=a.type,g=a,h=this.fixHooks[f];h||(this.fixHooks[f]=h=ma.test(f)?this.mouseHooks:la.test(f)?this.keyHooks:{}),e=h.props?this.props.concat(h.props):this.props,a=new n.Event(g),b=e.length;while(b--)c=e[b],a[c]=g[c];return a.target||(a.target=g.srcElement||d),3===a.target.nodeType&&(a.target=a.target.parentNode),a.metaKey=!!a.metaKey,h.filter?h.filter(a,g):a},props:"altKey bubbles cancelable ctrlKey currentTarget detail eventPhase metaKey relatedTarget shiftKey target timeStamp view which".split(" "),fixHooks:{},keyHooks:{props:"char charCode key keyCode".split(" "),filter:function(a,b){return null==a.which&&(a.which=null!=b.charCode?b.charCode:b.keyCode),a}},mouseHooks:{props:"button buttons clientX clientY fromElement offsetX offsetY pageX pageY screenX screenY toElement".split(" "),filter:function(a,b){var c,e,f,g=b.button,h=b.fromElement;return null==a.pageX&&null!=b.clientX&&(e=a.target.ownerDocument||d,f=e.documentElement,c=e.body,a.pageX=b.clientX+(f&&f.scrollLeft||c&&c.scrollLeft||0)-(f&&f.clientLeft||c&&c.clientLeft||0),a.pageY=b.clientY+(f&&f.scrollTop||c&&c.scrollTop||0)-(f&&f.clientTop||c&&c.clientTop||0)),!a.relatedTarget&&h&&(a.relatedTarget=h===a.target?b.toElement:h),a.which||void 0===g||(a.which=1&g?1:2&g?3:4&g?2:0),a}},special:{load:{noBubble:!0},focus:{trigger:function(){if(this!==ra()&&this.focus)try{return this.focus(),!1}catch(a){}},delegateType:"focusin"},blur:{trigger:function(){return this===ra()&&this.blur?(this.blur(),!1):void 0},delegateType:"focusout"},click:{trigger:function(){return n.nodeName(this,"input")&&"checkbox"===this.type&&this.click?(this.click(),!1):void 0},_default:function(a){return n.nodeName(a.target,"a")}},beforeunload:{postDispatch:function(a){void 0!==a.result&&a.originalEvent&&(a.originalEvent.returnValue=a.result)}}},simulate:function(a,b,c){var d=n.extend(new n.Event,c,{type:a,isSimulated:!0});n.event.trigger(d,null,b),d.isDefaultPrevented()&&c.preventDefault()}},n.removeEvent=d.removeEventListener?function(a,b,c){a.removeEventListener&&a.removeEventListener(b,c)}:function(a,b,c){var d="on"+b;a.detachEvent&&("undefined"==typeof a[d]&&(a[d]=null),a.detachEvent(d,c))},n.Event=function(a,b){return this instanceof n.Event?(a&&a.type?(this.originalEvent=a,this.type=a.type,this.isDefaultPrevented=a.defaultPrevented||void 0===a.defaultPrevented&&a.returnValue===!1?pa:qa):this.type=a,b&&n.extend(this,b),this.timeStamp=a&&a.timeStamp||n.now(),void(this[n.expando]=!0)):new n.Event(a,b)},n.Event.prototype={constructor:n.Event,isDefaultPrevented:qa,isPropagationStopped:qa,isImmediatePropagationStopped:qa,preventDefault:function(){var a=this.originalEvent;this.isDefaultPrevented=pa,a&&(a.preventDefault?a.preventDefault():a.returnValue=!1)},stopPropagation:function(){var a=this.originalEvent;this.isPropagationStopped=pa,a&&!this.isSimulated&&(a.stopPropagation&&a.stopPropagation(),a.cancelBubble=!0)},stopImmediatePropagation:function(){var a=this.originalEvent;this.isImmediatePropagationStopped=pa,a&&a.stopImmediatePropagation&&a.stopImmediatePropagation(),this.stopPropagation()}},n.each({mouseenter:"mouseover",mouseleave:"mouseout",pointerenter:"pointerover",pointerleave:"pointerout"},function(a,b){n.event.special[a]={delegateType:b,bindType:b,handle:function(a){var c,d=this,e=a.relatedTarget,f=a.handleObj;return e&&(e===d||n.contains(d,e))||(a.type=f.origType,c=f.handler.apply(this,arguments),a.type=b),c}}}),l.submit||(n.event.special.submit={setup:function(){return n.nodeName(this,"form")?!1:void n.event.add(this,"click._submit keypress._submit",function(a){var b=a.target,c=n.nodeName(b,"input")||n.nodeName(b,"button")?n.prop(b,"form"):void 0;c&&!n._data(c,"submit")&&(n.event.add(c,"submit._submit",function(a){a._submitBubble=!0}),n._data(c,"submit",!0))})},postDispatch:function(a){a._submitBubble&&(delete a._submitBubble,this.parentNode&&!a.isTrigger&&n.event.simulate("submit",this.parentNode,a))},teardown:function(){return n.nodeName(this,"form")?!1:void n.event.remove(this,"._submit")}}),l.change||(n.event.special.change={setup:function(){return ka.test(this.nodeName)?("checkbox"!==this.type&&"radio"!==this.type||(n.event.add(this,"propertychange._change",function(a){"checked"===a.originalEvent.propertyName&&(this._justChanged=!0)}),n.event.add(this,"click._change",function(a){this._justChanged&&!a.isTrigger&&(this._justChanged=!1),n.event.simulate("change",this,a)})),!1):void n.event.add(this,"beforeactivate._change",function(a){var b=a.target;ka.test(b.nodeName)&&!n._data(b,"change")&&(n.event.add(b,"change._change",function(a){!this.parentNode||a.isSimulated||a.isTrigger||n.event.simulate("change",this.parentNode,a)}),n._data(b,"change",!0))})},handle:function(a){var b=a.target;return this!==b||a.isSimulated||a.isTrigger||"radio"!==b.type&&"checkbox"!==b.type?a.handleObj.handler.apply(this,arguments):void 0},teardown:function(){return n.event.remove(this,"._change"),!ka.test(this.nodeName)}}),l.focusin||n.each({focus:"focusin",blur:"focusout"},function(a,b){var c=function(a){n.event.simulate(b,a.target,n.event.fix(a))};n.event.special[b]={setup:function(){var d=this.ownerDocument||this,e=n._data(d,b);e||d.addEventListener(a,c,!0),n._data(d,b,(e||0)+1)},teardown:function(){var d=this.ownerDocument||this,e=n._data(d,b)-1;e?n._data(d,b,e):(d.removeEventListener(a,c,!0),n._removeData(d,b))}}}),n.fn.extend({on:function(a,b,c,d){return sa(this,a,b,c,d)},one:function(a,b,c,d){return sa(this,a,b,c,d,1)},off:function(a,b,c){var d,e;if(a&&a.preventDefault&&a.handleObj)return d=a.handleObj,n(a.delegateTarget).off(d.namespace?d.origType+"."+d.namespace:d.origType,d.selector,d.handler),this;if("object"==typeof a){for(e in a)this.off(e,b,a[e]);return this}return b!==!1&&"function"!=typeof b||(c=b,b=void 0),c===!1&&(c=qa),this.each(function(){n.event.remove(this,a,c,b)})},trigger:function(a,b){return this.each(function(){n.event.trigger(a,b,this)})},triggerHandler:function(a,b){var c=this[0];return c?n.event.trigger(a,b,c,!0):void 0}});var ta=/ jQuery\d+="(?:null|\d+)"/g,ua=new RegExp("<(?:"+ba+")[\\s/>]","i"),va=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi,wa=/<script|<style|<link/i,xa=/checked\s*(?:[^=]|=\s*.checked.)/i,ya=/^true\/(.*)/,za=/^\s*<!(?:\[CDATA\[|--)|(?:\]\]|--)>\s*$/g,Aa=ca(d),Ba=Aa.appendChild(d.createElement("div"));function Ca(a,b){return n.nodeName(a,"table")&&n.nodeName(11!==b.nodeType?b:b.firstChild,"tr")?a.getElementsByTagName("tbody")[0]||a.appendChild(a.ownerDocument.createElement("tbody")):a}function Da(a){return a.type=(null!==n.find.attr(a,"type"))+"/"+a.type,a}function Ea(a){var b=ya.exec(a.type);return b?a.type=b[1]:a.removeAttribute("type"),a}function Fa(a,b){if(1===b.nodeType&&n.hasData(a)){var c,d,e,f=n._data(a),g=n._data(b,f),h=f.events;if(h){delete g.handle,g.events={};for(c in h)for(d=0,e=h[c].length;e>d;d++)n.event.add(b,c,h[c][d])}g.data&&(g.data=n.extend({},g.data))}}function Ga(a,b){var c,d,e;if(1===b.nodeType){if(c=b.nodeName.toLowerCase(),!l.noCloneEvent&&b[n.expando]){e=n._data(b);for(d in e.events)n.removeEvent(b,d,e.handle);b.removeAttribute(n.expando)}"script"===c&&b.text!==a.text?(Da(b).text=a.text,Ea(b)):"object"===c?(b.parentNode&&(b.outerHTML=a.outerHTML),l.html5Clone&&a.innerHTML&&!n.trim(b.innerHTML)&&(b.innerHTML=a.innerHTML)):"input"===c&&Z.test(a.type)?(b.defaultChecked=b.checked=a.checked,b.value!==a.value&&(b.value=a.value)):"option"===c?b.defaultSelected=b.selected=a.defaultSelected:"input"!==c&&"textarea"!==c||(b.defaultValue=a.defaultValue)}}function Ha(a,b,c,d){b=f.apply([],b);var e,g,h,i,j,k,m=0,o=a.length,p=o-1,q=b[0],r=n.isFunction(q);if(r||o>1&&"string"==typeof q&&!l.checkClone&&xa.test(q))return a.each(function(e){var f=a.eq(e);r&&(b[0]=q.call(this,e,f.html())),Ha(f,b,c,d)});if(o&&(k=ja(b,a[0].ownerDocument,!1,a,d),e=k.firstChild,1===k.childNodes.length&&(k=e),e||d)){for(i=n.map(ea(k,"script"),Da),h=i.length;o>m;m++)g=k,m!==p&&(g=n.clone(g,!0,!0),h&&n.merge(i,ea(g,"script"))),c.call(a[m],g,m);if(h)for(j=i[i.length-1].ownerDocument,n.map(i,Ea),m=0;h>m;m++)g=i[m],_.test(g.type||"")&&!n._data(g,"globalEval")&&n.contains(j,g)&&(g.src?n._evalUrl&&n._evalUrl(g.src):n.globalEval((g.text||g.textContent||g.innerHTML||"").replace(za,"")));k=e=null}return a}function Ia(a,b,c){for(var d,e=b?n.filter(b,a):a,f=0;null!=(d=e[f]);f++)c||1!==d.nodeType||n.cleanData(ea(d)),d.parentNode&&(c&&n.contains(d.ownerDocument,d)&&fa(ea(d,"script")),d.parentNode.removeChild(d));return a}n.extend({htmlPrefilter:function(a){return a.replace(va,"<$1></$2>")},clone:function(a,b,c){var d,e,f,g,h,i=n.contains(a.ownerDocument,a);if(l.html5Clone||n.isXMLDoc(a)||!ua.test("<"+a.nodeName+">")?f=a.cloneNode(!0):(Ba.innerHTML=a.outerHTML,Ba.removeChild(f=Ba.firstChild)),!(l.noCloneEvent&&l.noCloneChecked||1!==a.nodeType&&11!==a.nodeType||n.isXMLDoc(a)))for(d=ea(f),h=ea(a),g=0;null!=(e=h[g]);++g)d[g]&&Ga(e,d[g]);if(b)if(c)for(h=h||ea(a),d=d||ea(f),g=0;null!=(e=h[g]);g++)Fa(e,d[g]);else Fa(a,f);return d=ea(f,"script"),d.length>0&&fa(d,!i&&ea(a,"script")),d=h=e=null,f},cleanData:function(a,b){for(var d,e,f,g,h=0,i=n.expando,j=n.cache,k=l.attributes,m=n.event.special;null!=(d=a[h]);h++)if((b||M(d))&&(f=d[i],g=f&&j[f])){if(g.events)for(e in g.events)m[e]?n.event.remove(d,e):n.removeEvent(d,e,g.handle);j[f]&&(delete j[f],k||"undefined"==typeof d.removeAttribute?d[i]=void 0:d.removeAttribute(i),c.push(f))}}}),n.fn.extend({domManip:Ha,detach:function(a){return Ia(this,a,!0)},remove:function(a){return Ia(this,a)},text:function(a){return Y(this,function(a){return void 0===a?n.text(this):this.empty().append((this[0]&&this[0].ownerDocument||d).createTextNode(a))},null,a,arguments.length)},append:function(){return Ha(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Ca(this,a);b.appendChild(a)}})},prepend:function(){return Ha(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Ca(this,a);b.insertBefore(a,b.firstChild)}})},before:function(){return Ha(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this)})},after:function(){return Ha(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this.nextSibling)})},empty:function(){for(var a,b=0;null!=(a=this[b]);b++){1===a.nodeType&&n.cleanData(ea(a,!1));while(a.firstChild)a.removeChild(a.firstChild);a.options&&n.nodeName(a,"select")&&(a.options.length=0)}return this},clone:function(a,b){return a=null==a?!1:a,b=null==b?a:b,this.map(function(){return n.clone(this,a,b)})},html:function(a){return Y(this,function(a){var b=this[0]||{},c=0,d=this.length;if(void 0===a)return 1===b.nodeType?b.innerHTML.replace(ta,""):void 0;if("string"==typeof a&&!wa.test(a)&&(l.htmlSerialize||!ua.test(a))&&(l.leadingWhitespace||!aa.test(a))&&!da[($.exec(a)||["",""])[1].toLowerCase()]){a=n.htmlPrefilter(a);try{for(;d>c;c++)b=this[c]||{},1===b.nodeType&&(n.cleanData(ea(b,!1)),b.innerHTML=a);b=0}catch(e){}}b&&this.empty().append(a)},null,a,arguments.length)},replaceWith:function(){var a=[];return Ha(this,arguments,function(b){var c=this.parentNode;n.inArray(this,a)<0&&(n.cleanData(ea(this)),c&&c.replaceChild(b,this))},a)}}),n.each({appendTo:"append",prependTo:"prepend",insertBefore:"before",insertAfter:"after",replaceAll:"replaceWith"},function(a,b){n.fn[a]=function(a){for(var c,d=0,e=[],f=n(a),h=f.length-1;h>=d;d++)c=d===h?this:this.clone(!0),n(f[d])[b](c),g.apply(e,c.get());return this.pushStack(e)}});var Ja,Ka={HTML:"block",BODY:"block"};function La(a,b){var c=n(b.createElement(a)).appendTo(b.body),d=n.css(c[0],"display");return c.detach(),d}function Ma(a){var b=d,c=Ka[a];return c||(c=La(a,b),"none"!==c&&c||(Ja=(Ja||n("<iframe frameborder='0' width='0' height='0'/>")).appendTo(b.documentElement),b=(Ja[0].contentWindow||Ja[0].contentDocument).document,b.write(),b.close(),c=La(a,b),Ja.detach()),Ka[a]=c),c}var Na=/^margin/,Oa=new RegExp("^("+T+")(?!px)[a-z%]+$","i"),Pa=function(a,b,c,d){var e,f,g={};for(f in b)g[f]=a.style[f],a.style[f]=b[f];e=c.apply(a,d||[]);for(f in b)a.style[f]=g[f];return e},Qa=d.documentElement;!function(){var b,c,e,f,g,h,i=d.createElement("div"),j=d.createElement("div");if(j.style){j.style.cssText="float:left;opacity:.5",l.opacity="0.5"===j.style.opacity,l.cssFloat=!!j.style.cssFloat,j.style.backgroundClip="content-box",j.cloneNode(!0).style.backgroundClip="",l.clearCloneStyle="content-box"===j.style.backgroundClip,i=d.createElement("div"),i.style.cssText="border:0;width:8px;height:0;top:0;left:-9999px;padding:0;margin-top:1px;position:absolute",j.innerHTML="",i.appendChild(j),l.boxSizing=""===j.style.boxSizing||""===j.style.MozBoxSizing||""===j.style.WebkitBoxSizing,n.extend(l,{reliableHiddenOffsets:function(){return null==b&&k(),f},boxSizingReliable:function(){return null==b&&k(),e},pixelMarginRight:function(){return null==b&&k(),c},pixelPosition:function(){return null==b&&k(),b},reliableMarginRight:function(){return null==b&&k(),g},reliableMarginLeft:function(){return null==b&&k(),h}});function k(){var k,l,m=d.documentElement;m.appendChild(i),j.style.cssText="-webkit-box-sizing:border-box;box-sizing:border-box;position:relative;display:block;margin:auto;border:1px;padding:1px;top:1%;width:50%",b=e=h=!1,c=g=!0,a.getComputedStyle&&(l=a.getComputedStyle(j),b="1%"!==(l||{}).top,h="2px"===(l||{}).marginLeft,e="4px"===(l||{width:"4px"}).width,j.style.marginRight="50%",c="4px"===(l||{marginRight:"4px"}).marginRight,k=j.appendChild(d.createElement("div")),k.style.cssText=j.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:0",k.style.marginRight=k.style.width="0",j.style.width="1px",g=!parseFloat((a.getComputedStyle(k)||{}).marginRight),j.removeChild(k)),j.style.display="none",f=0===j.getClientRects().length,f&&(j.style.display="",j.innerHTML="<table><tr><td></td><td>t</td></tr></table>",j.childNodes[0].style.borderCollapse="separate",k=j.getElementsByTagName("td"),k[0].style.cssText="margin:0;border:0;padding:0;display:none",f=0===k[0].offsetHeight,f&&(k[0].style.display="",k[1].style.display="none",f=0===k[0].offsetHeight)),m.removeChild(i)}}}();var Ra,Sa,Ta=/^(top|right|bottom|left)$/;a.getComputedStyle?(Ra=function(b){var c=b.ownerDocument.defaultView;return c&&c.opener||(c=a),c.getComputedStyle(b)},Sa=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ra(a),g=c?c.getPropertyValue(b)||c[b]:void 0,""!==g&&void 0!==g||n.contains(a.ownerDocument,a)||(g=n.style(a,b)),c&&!l.pixelMarginRight()&&Oa.test(g)&&Na.test(b)&&(d=h.width,e=h.minWidth,f=h.maxWidth,h.minWidth=h.maxWidth=h.width=g,g=c.width,h.width=d,h.minWidth=e,h.maxWidth=f),void 0===g?g:g+""}):Qa.currentStyle&&(Ra=function(a){return a.currentStyle},Sa=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ra(a),g=c?c[b]:void 0,null==g&&h&&h[b]&&(g=h[b]),Oa.test(g)&&!Ta.test(b)&&(d=h.left,e=a.runtimeStyle,f=e&&e.left,f&&(e.left=a.currentStyle.left),h.left="fontSize"===b?"1em":g,g=h.pixelLeft+"px",h.left=d,f&&(e.left=f)),void 0===g?g:g+""||"auto"});function Ua(a,b){return{get:function(){return a()?void delete this.get:(this.get=b).apply(this,arguments)}}}var Va=/alpha\([^)]*\)/i,Wa=/opacity\s*=\s*([^)]*)/i,Xa=/^(none|table(?!-c[ea]).+)/,Ya=new RegExp("^("+T+")(.*)$","i"),Za={position:"absolute",visibility:"hidden",display:"block"},$a={letterSpacing:"0",fontWeight:"400"},_a=["Webkit","O","Moz","ms"],ab=d.createElement("div").style;function bb(a){if(a in ab)return a;var b=a.charAt(0).toUpperCase()+a.slice(1),c=_a.length;while(c--)if(a=_a[c]+b,a in ab)return a}function cb(a,b){for(var c,d,e,f=[],g=0,h=a.length;h>g;g++)d=a[g],d.style&&(f[g]=n._data(d,"olddisplay"),c=d.style.display,b?(f[g]||"none"!==c||(d.style.display=""),""===d.style.display&&W(d)&&(f[g]=n._data(d,"olddisplay",Ma(d.nodeName)))):(e=W(d),(c&&"none"!==c||!e)&&n._data(d,"olddisplay",e?c:n.css(d,"display"))));for(g=0;h>g;g++)d=a[g],d.style&&(b&&"none"!==d.style.display&&""!==d.style.display||(d.style.display=b?f[g]||"":"none"));return a}function db(a,b,c){var d=Ya.exec(b);return d?Math.max(0,d[1]-(c||0))+(d[2]||"px"):b}function eb(a,b,c,d,e){for(var f=c===(d?"border":"content")?4:"width"===b?1:0,g=0;4>f;f+=2)"margin"===c&&(g+=n.css(a,c+V[f],!0,e)),d?("content"===c&&(g-=n.css(a,"padding"+V[f],!0,e)),"margin"!==c&&(g-=n.css(a,"border"+V[f]+"Width",!0,e))):(g+=n.css(a,"padding"+V[f],!0,e),"padding"!==c&&(g+=n.css(a,"border"+V[f]+"Width",!0,e)));return g}function fb(a,b,c){var d=!0,e="width"===b?a.offsetWidth:a.offsetHeight,f=Ra(a),g=l.boxSizing&&"border-box"===n.css(a,"boxSizing",!1,f);if(0>=e||null==e){if(e=Sa(a,b,f),(0>e||null==e)&&(e=a.style[b]),Oa.test(e))return e;d=g&&(l.boxSizingReliable()||e===a.style[b]),e=parseFloat(e)||0}return e+eb(a,b,c||(g?"border":"content"),d,f)+"px"}n.extend({cssHooks:{opacity:{get:function(a,b){if(b){var c=Sa(a,"opacity");return""===c?"1":c}}}},cssNumber:{animationIterationCount:!0,columnCount:!0,fillOpacity:!0,flexGrow:!0,flexShrink:!0,fontWeight:!0,lineHeight:!0,opacity:!0,order:!0,orphans:!0,widows:!0,zIndex:!0,zoom:!0},cssProps:{"float":l.cssFloat?"cssFloat":"styleFloat"},style:function(a,b,c,d){if(a&&3!==a.nodeType&&8!==a.nodeType&&a.style){var e,f,g,h=n.camelCase(b),i=a.style;if(b=n.cssProps[h]||(n.cssProps[h]=bb(h)||h),g=n.cssHooks[b]||n.cssHooks[h],void 0===c)return g&&"get"in g&&void 0!==(e=g.get(a,!1,d))?e:i[b];if(f=typeof c,"string"===f&&(e=U.exec(c))&&e[1]&&(c=X(a,b,e),f="number"),null!=c&&c===c&&("number"===f&&(c+=e&&e[3]||(n.cssNumber[h]?"":"px")),l.clearCloneStyle||""!==c||0!==b.indexOf("background")||(i[b]="inherit"),!(g&&"set"in g&&void 0===(c=g.set(a,c,d)))))try{i[b]=c}catch(j){}}},css:function(a,b,c,d){var e,f,g,h=n.camelCase(b);return b=n.cssProps[h]||(n.cssProps[h]=bb(h)||h),g=n.cssHooks[b]||n.cssHooks[h],g&&"get"in g&&(f=g.get(a,!0,c)),void 0===f&&(f=Sa(a,b,d)),"normal"===f&&b in $a&&(f=$a[b]),""===c||c?(e=parseFloat(f),c===!0||isFinite(e)?e||0:f):f}}),n.each(["height","width"],function(a,b){n.cssHooks[b]={get:function(a,c,d){return c?Xa.test(n.css(a,"display"))&&0===a.offsetWidth?Pa(a,Za,function(){return fb(a,b,d)}):fb(a,b,d):void 0},set:function(a,c,d){var e=d&&Ra(a);return db(a,c,d?eb(a,b,d,l.boxSizing&&"border-box"===n.css(a,"boxSizing",!1,e),e):0)}}}),l.opacity||(n.cssHooks.opacity={get:function(a,b){return Wa.test((b&&a.currentStyle?a.currentStyle.filter:a.style.filter)||"")?.01*parseFloat(RegExp.$1)+"":b?"1":""},set:function(a,b){var c=a.style,d=a.currentStyle,e=n.isNumeric(b)?"alpha(opacity="+100*b+")":"",f=d&&d.filter||c.filter||"";c.zoom=1,(b>=1||""===b)&&""===n.trim(f.replace(Va,""))&&c.removeAttribute&&(c.removeAttribute("filter"),""===b||d&&!d.filter)||(c.filter=Va.test(f)?f.replace(Va,e):f+" "+e)}}),n.cssHooks.marginRight=Ua(l.reliableMarginRight,function(a,b){return b?Pa(a,{display:"inline-block"},Sa,[a,"marginRight"]):void 0}),n.cssHooks.marginLeft=Ua(l.reliableMarginLeft,function(a,b){return b?(parseFloat(Sa(a,"marginLeft"))||(n.contains(a.ownerDocument,a)?a.getBoundingClientRect().left-Pa(a,{ marginLeft:0},function(){return a.getBoundingClientRect().left}):0))+"px":void 0}),n.each({margin:"",padding:"",border:"Width"},function(a,b){n.cssHooks[a+b]={expand:function(c){for(var d=0,e={},f="string"==typeof c?c.split(" "):[c];4>d;d++)e[a+V[d]+b]=f[d]||f[d-2]||f[0];return e}},Na.test(a)||(n.cssHooks[a+b].set=db)}),n.fn.extend({css:function(a,b){return Y(this,function(a,b,c){var d,e,f={},g=0;if(n.isArray(b)){for(d=Ra(a),e=b.length;e>g;g++)f[b[g]]=n.css(a,b[g],!1,d);return f}return void 0!==c?n.style(a,b,c):n.css(a,b)},a,b,arguments.length>1)},show:function(){return cb(this,!0)},hide:function(){return cb(this)},toggle:function(a){return"boolean"==typeof a?a?this.show():this.hide():this.each(function(){W(this)?n(this).show():n(this).hide()})}});function gb(a,b,c,d,e){return new gb.prototype.init(a,b,c,d,e)}n.Tween=gb,gb.prototype={constructor:gb,init:function(a,b,c,d,e,f){this.elem=a,this.prop=c,this.easing=e||n.easing._default,this.options=b,this.start=this.now=this.cur(),this.end=d,this.unit=f||(n.cssNumber[c]?"":"px")},cur:function(){var a=gb.propHooks[this.prop];return a&&a.get?a.get(this):gb.propHooks._default.get(this)},run:function(a){var b,c=gb.propHooks[this.prop];return this.options.duration?this.pos=b=n.easing[this.easing](a,this.options.duration*a,0,1,this.options.duration):this.pos=b=a,this.now=(this.end-this.start)*b+this.start,this.options.step&&this.options.step.call(this.elem,this.now,this),c&&c.set?c.set(this):gb.propHooks._default.set(this),this}},gb.prototype.init.prototype=gb.prototype,gb.propHooks={_default:{get:function(a){var b;return 1!==a.elem.nodeType||null!=a.elem[a.prop]&&null==a.elem.style[a.prop]?a.elem[a.prop]:(b=n.css(a.elem,a.prop,""),b&&"auto"!==b?b:0)},set:function(a){n.fx.step[a.prop]?n.fx.step[a.prop](a):1!==a.elem.nodeType||null==a.elem.style[n.cssProps[a.prop]]&&!n.cssHooks[a.prop]?a.elem[a.prop]=a.now:n.style(a.elem,a.prop,a.now+a.unit)}}},gb.propHooks.scrollTop=gb.propHooks.scrollLeft={set:function(a){a.elem.nodeType&&a.elem.parentNode&&(a.elem[a.prop]=a.now)}},n.easing={linear:function(a){return a},swing:function(a){return.5-Math.cos(a*Math.PI)/2},_default:"swing"},n.fx=gb.prototype.init,n.fx.step={};var hb,ib,jb=/^(?:toggle|show|hide)$/,kb=/queueHooks$/;function lb(){return a.setTimeout(function(){hb=void 0}),hb=n.now()}function mb(a,b){var c,d={height:a},e=0;for(b=b?1:0;4>e;e+=2-b)c=V[e],d["margin"+c]=d["padding"+c]=a;return b&&(d.opacity=d.width=a),d}function nb(a,b,c){for(var d,e=(qb.tweeners[b]||[]).concat(qb.tweeners["*"]),f=0,g=e.length;g>f;f++)if(d=e[f].call(c,b,a))return d}function ob(a,b,c){var d,e,f,g,h,i,j,k,m=this,o={},p=a.style,q=a.nodeType&&W(a),r=n._data(a,"fxshow");c.queue||(h=n._queueHooks(a,"fx"),null==h.unqueued&&(h.unqueued=0,i=h.empty.fire,h.empty.fire=function(){h.unqueued||i()}),h.unqueued++,m.always(function(){m.always(function(){h.unqueued--,n.queue(a,"fx").length||h.empty.fire()})})),1===a.nodeType&&("height"in b||"width"in b)&&(c.overflow=[p.overflow,p.overflowX,p.overflowY],j=n.css(a,"display"),k="none"===j?n._data(a,"olddisplay")||Ma(a.nodeName):j,"inline"===k&&"none"===n.css(a,"float")&&(l.inlineBlockNeedsLayout&&"inline"!==Ma(a.nodeName)?p.zoom=1:p.display="inline-block")),c.overflow&&(p.overflow="hidden",l.shrinkWrapBlocks()||m.always(function(){p.overflow=c.overflow[0],p.overflowX=c.overflow[1],p.overflowY=c.overflow[2]}));for(d in b)if(e=b[d],jb.exec(e)){if(delete b[d],f=f||"toggle"===e,e===(q?"hide":"show")){if("show"!==e||!r||void 0===r[d])continue;q=!0}o[d]=r&&r[d]||n.style(a,d)}else j=void 0;if(n.isEmptyObject(o))"inline"===("none"===j?Ma(a.nodeName):j)&&(p.display=j);else{r?"hidden"in r&&(q=r.hidden):r=n._data(a,"fxshow",{}),f&&(r.hidden=!q),q?n(a).show():m.done(function(){n(a).hide()}),m.done(function(){var b;n._removeData(a,"fxshow");for(b in o)n.style(a,b,o[b])});for(d in o)g=nb(q?r[d]:0,d,m),d in r||(r[d]=g.start,q&&(g.end=g.start,g.start="width"===d||"height"===d?1:0))}}function pb(a,b){var c,d,e,f,g;for(c in a)if(d=n.camelCase(c),e=b[d],f=a[c],n.isArray(f)&&(e=f[1],f=a[c]=f[0]),c!==d&&(a[d]=f,delete a[c]),g=n.cssHooks[d],g&&"expand"in g){f=g.expand(f),delete a[d];for(c in f)c in a||(a[c]=f[c],b[c]=e)}else b[d]=e}function qb(a,b,c){var d,e,f=0,g=qb.prefilters.length,h=n.Deferred().always(function(){delete i.elem}),i=function(){if(e)return!1;for(var b=hb||lb(),c=Math.max(0,j.startTime+j.duration-b),d=c/j.duration||0,f=1-d,g=0,i=j.tweens.length;i>g;g++)j.tweens[g].run(f);return h.notifyWith(a,[j,f,c]),1>f&&i?c:(h.resolveWith(a,[j]),!1)},j=h.promise({elem:a,props:n.extend({},b),opts:n.extend(!0,{specialEasing:{},easing:n.easing._default},c),originalProperties:b,originalOptions:c,startTime:hb||lb(),duration:c.duration,tweens:[],createTween:function(b,c){var d=n.Tween(a,j.opts,b,c,j.opts.specialEasing[b]||j.opts.easing);return j.tweens.push(d),d},stop:function(b){var c=0,d=b?j.tweens.length:0;if(e)return this;for(e=!0;d>c;c++)j.tweens[c].run(1);return b?(h.notifyWith(a,[j,1,0]),h.resolveWith(a,[j,b])):h.rejectWith(a,[j,b]),this}}),k=j.props;for(pb(k,j.opts.specialEasing);g>f;f++)if(d=qb.prefilters[f].call(j,a,k,j.opts))return n.isFunction(d.stop)&&(n._queueHooks(j.elem,j.opts.queue).stop=n.proxy(d.stop,d)),d;return n.map(k,nb,j),n.isFunction(j.opts.start)&&j.opts.start.call(a,j),n.fx.timer(n.extend(i,{elem:a,anim:j,queue:j.opts.queue})),j.progress(j.opts.progress).done(j.opts.done,j.opts.complete).fail(j.opts.fail).always(j.opts.always)}n.Animation=n.extend(qb,{tweeners:{"*":[function(a,b){var c=this.createTween(a,b);return X(c.elem,a,U.exec(b),c),c}]},tweener:function(a,b){n.isFunction(a)?(b=a,a=["*"]):a=a.match(G);for(var c,d=0,e=a.length;e>d;d++)c=a[d],qb.tweeners[c]=qb.tweeners[c]||[],qb.tweeners[c].unshift(b)},prefilters:[ob],prefilter:function(a,b){b?qb.prefilters.unshift(a):qb.prefilters.push(a)}}),n.speed=function(a,b,c){var d=a&&"object"==typeof a?n.extend({},a):{complete:c||!c&&b||n.isFunction(a)&&a,duration:a,easing:c&&b||b&&!n.isFunction(b)&&b};return d.duration=n.fx.off?0:"number"==typeof d.duration?d.duration:d.duration in n.fx.speeds?n.fx.speeds[d.duration]:n.fx.speeds._default,null!=d.queue&&d.queue!==!0||(d.queue="fx"),d.old=d.complete,d.complete=function(){n.isFunction(d.old)&&d.old.call(this),d.queue&&n.dequeue(this,d.queue)},d},n.fn.extend({fadeTo:function(a,b,c,d){return this.filter(W).css("opacity",0).show().end().animate({opacity:b},a,c,d)},animate:function(a,b,c,d){var e=n.isEmptyObject(a),f=n.speed(b,c,d),g=function(){var b=qb(this,n.extend({},a),f);(e||n._data(this,"finish"))&&b.stop(!0)};return g.finish=g,e||f.queue===!1?this.each(g):this.queue(f.queue,g)},stop:function(a,b,c){var d=function(a){var b=a.stop;delete a.stop,b(c)};return"string"!=typeof a&&(c=b,b=a,a=void 0),b&&a!==!1&&this.queue(a||"fx",[]),this.each(function(){var b=!0,e=null!=a&&a+"queueHooks",f=n.timers,g=n._data(this);if(e)g[e]&&g[e].stop&&d(g[e]);else for(e in g)g[e]&&g[e].stop&&kb.test(e)&&d(g[e]);for(e=f.length;e--;)f[e].elem!==this||null!=a&&f[e].queue!==a||(f[e].anim.stop(c),b=!1,f.splice(e,1));!b&&c||n.dequeue(this,a)})},finish:function(a){return a!==!1&&(a=a||"fx"),this.each(function(){var b,c=n._data(this),d=c[a+"queue"],e=c[a+"queueHooks"],f=n.timers,g=d?d.length:0;for(c.finish=!0,n.queue(this,a,[]),e&&e.stop&&e.stop.call(this,!0),b=f.length;b--;)f[b].elem===this&&f[b].queue===a&&(f[b].anim.stop(!0),f.splice(b,1));for(b=0;g>b;b++)d[b]&&d[b].finish&&d[b].finish.call(this);delete c.finish})}}),n.each(["toggle","show","hide"],function(a,b){var c=n.fn[b];n.fn[b]=function(a,d,e){return null==a||"boolean"==typeof a?c.apply(this,arguments):this.animate(mb(b,!0),a,d,e)}}),n.each({slideDown:mb("show"),slideUp:mb("hide"),slideToggle:mb("toggle"),fadeIn:{opacity:"show"},fadeOut:{opacity:"hide"},fadeToggle:{opacity:"toggle"}},function(a,b){n.fn[a]=function(a,c,d){return this.animate(b,a,c,d)}}),n.timers=[],n.fx.tick=function(){var a,b=n.timers,c=0;for(hb=n.now();c<b.length;c++)a=b[c],a()||b[c]!==a||b.splice(c--,1);b.length||n.fx.stop(),hb=void 0},n.fx.timer=function(a){n.timers.push(a),a()?n.fx.start():n.timers.pop()},n.fx.interval=13,n.fx.start=function(){ib||(ib=a.setInterval(n.fx.tick,n.fx.interval))},n.fx.stop=function(){a.clearInterval(ib),ib=null},n.fx.speeds={slow:600,fast:200,_default:400},n.fn.delay=function(b,c){return b=n.fx?n.fx.speeds[b]||b:b,c=c||"fx",this.queue(c,function(c,d){var e=a.setTimeout(c,b);d.stop=function(){a.clearTimeout(e)}})},function(){var a,b=d.createElement("input"),c=d.createElement("div"),e=d.createElement("select"),f=e.appendChild(d.createElement("option"));c=d.createElement("div"),c.setAttribute("className","t"),c.innerHTML=" <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",a=c.getElementsByTagName("a")[0],b.setAttribute("type","checkbox"),c.appendChild(b),a=c.getElementsByTagName("a")[0],a.style.cssText="top:1px",l.getSetAttribute="t"!==c.className,l.style=/top/.test(a.getAttribute("style")),l.hrefNormalized="/a"===a.getAttribute("href"),l.checkOn=!!b.value,l.optSelected=f.selected,l.enctype=!!d.createElement("form").enctype,e.disabled=!0,l.optDisabled=!f.disabled,b=d.createElement("input"),b.setAttribute("value",""),l.input=""===b.getAttribute("value"),b.value="t",b.setAttribute("type","radio"),l.radioValue="t"===b.value}();var rb=/\r/g,sb=/[\x20\t\r\n\f]+/g;n.fn.extend({val:function(a){var b,c,d,e=this[0];{if(arguments.length)return d=n.isFunction(a),this.each(function(c){var e;1===this.nodeType&&(e=d?a.call(this,c,n(this).val()):a,null==e?e="":"number"==typeof e?e+="":n.isArray(e)&&(e=n.map(e,function(a){return null==a?"":a+""})),b=n.valHooks[this.type]||n.valHooks[this.nodeName.toLowerCase()],b&&"set"in b&&void 0!==b.set(this,e,"value")||(this.value=e))});if(e)return b=n.valHooks[e.type]||n.valHooks[e.nodeName.toLowerCase()],b&&"get"in b&&void 0!==(c=b.get(e,"value"))?c:(c=e.value,"string"==typeof c?c.replace(rb,""):null==c?"":c)}}}),n.extend({valHooks:{option:{get:function(a){var b=n.find.attr(a,"value");return null!=b?b:n.trim(n.text(a)).replace(sb," ")}},select:{get:function(a){for(var b,c,d=a.options,e=a.selectedIndex,f="select-one"===a.type||0>e,g=f?null:[],h=f?e+1:d.length,i=0>e?h:f?e:0;h>i;i++)if(c=d[i],(c.selected||i===e)&&(l.optDisabled?!c.disabled:null===c.getAttribute("disabled"))&&(!c.parentNode.disabled||!n.nodeName(c.parentNode,"optgroup"))){if(b=n(c).val(),f)return b;g.push(b)}return g},set:function(a,b){var c,d,e=a.options,f=n.makeArray(b),g=e.length;while(g--)if(d=e[g],n.inArray(n.valHooks.option.get(d),f)>-1)try{d.selected=c=!0}catch(h){d.scrollHeight}else d.selected=!1;return c||(a.selectedIndex=-1),e}}}}),n.each(["radio","checkbox"],function(){n.valHooks[this]={set:function(a,b){return n.isArray(b)?a.checked=n.inArray(n(a).val(),b)>-1:void 0}},l.checkOn||(n.valHooks[this].get=function(a){return null===a.getAttribute("value")?"on":a.value})});var tb,ub,vb=n.expr.attrHandle,wb=/^(?:checked|selected)$/i,xb=l.getSetAttribute,yb=l.input;n.fn.extend({attr:function(a,b){return Y(this,n.attr,a,b,arguments.length>1)},removeAttr:function(a){return this.each(function(){n.removeAttr(this,a)})}}),n.extend({attr:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return"undefined"==typeof a.getAttribute?n.prop(a,b,c):(1===f&&n.isXMLDoc(a)||(b=b.toLowerCase(),e=n.attrHooks[b]||(n.expr.match.bool.test(b)?ub:tb)),void 0!==c?null===c?void n.removeAttr(a,b):e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:(a.setAttribute(b,c+""),c):e&&"get"in e&&null!==(d=e.get(a,b))?d:(d=n.find.attr(a,b),null==d?void 0:d))},attrHooks:{type:{set:function(a,b){if(!l.radioValue&&"radio"===b&&n.nodeName(a,"input")){var c=a.value;return a.setAttribute("type",b),c&&(a.value=c),b}}}},removeAttr:function(a,b){var c,d,e=0,f=b&&b.match(G);if(f&&1===a.nodeType)while(c=f[e++])d=n.propFix[c]||c,n.expr.match.bool.test(c)?yb&&xb||!wb.test(c)?a[d]=!1:a[n.camelCase("default-"+c)]=a[d]=!1:n.attr(a,c,""),a.removeAttribute(xb?c:d)}}),ub={set:function(a,b,c){return b===!1?n.removeAttr(a,c):yb&&xb||!wb.test(c)?a.setAttribute(!xb&&n.propFix[c]||c,c):a[n.camelCase("default-"+c)]=a[c]=!0,c}},n.each(n.expr.match.bool.source.match(/\w+/g),function(a,b){var c=vb[b]||n.find.attr;yb&&xb||!wb.test(b)?vb[b]=function(a,b,d){var e,f;return d||(f=vb[b],vb[b]=e,e=null!=c(a,b,d)?b.toLowerCase():null,vb[b]=f),e}:vb[b]=function(a,b,c){return c?void 0:a[n.camelCase("default-"+b)]?b.toLowerCase():null}}),yb&&xb||(n.attrHooks.value={set:function(a,b,c){return n.nodeName(a,"input")?void(a.defaultValue=b):tb&&tb.set(a,b,c)}}),xb||(tb={set:function(a,b,c){var d=a.getAttributeNode(c);return d||a.setAttributeNode(d=a.ownerDocument.createAttribute(c)),d.value=b+="","value"===c||b===a.getAttribute(c)?b:void 0}},vb.id=vb.name=vb.coords=function(a,b,c){var d;return c?void 0:(d=a.getAttributeNode(b))&&""!==d.value?d.value:null},n.valHooks.button={get:function(a,b){var c=a.getAttributeNode(b);return c&&c.specified?c.value:void 0},set:tb.set},n.attrHooks.contenteditable={set:function(a,b,c){tb.set(a,""===b?!1:b,c)}},n.each(["width","height"],function(a,b){n.attrHooks[b]={set:function(a,c){return""===c?(a.setAttribute(b,"auto"),c):void 0}}})),l.style||(n.attrHooks.style={get:function(a){return a.style.cssText||void 0},set:function(a,b){return a.style.cssText=b+""}});var zb=/^(?:input|select|textarea|button|object)$/i,Ab=/^(?:a|area)$/i;n.fn.extend({prop:function(a,b){return Y(this,n.prop,a,b,arguments.length>1)},removeProp:function(a){return a=n.propFix[a]||a,this.each(function(){try{this[a]=void 0,delete this[a]}catch(b){}})}}),n.extend({prop:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return 1===f&&n.isXMLDoc(a)||(b=n.propFix[b]||b,e=n.propHooks[b]),void 0!==c?e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:a[b]=c:e&&"get"in e&&null!==(d=e.get(a,b))?d:a[b]},propHooks:{tabIndex:{get:function(a){var b=n.find.attr(a,"tabindex");return b?parseInt(b,10):zb.test(a.nodeName)||Ab.test(a.nodeName)&&a.href?0:-1}}},propFix:{"for":"htmlFor","class":"className"}}),l.hrefNormalized||n.each(["href","src"],function(a,b){n.propHooks[b]={get:function(a){return a.getAttribute(b,4)}}}),l.optSelected||(n.propHooks.selected={get:function(a){var b=a.parentNode;return b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex),null},set:function(a){var b=a.parentNode;b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex)}}),n.each(["tabIndex","readOnly","maxLength","cellSpacing","cellPadding","rowSpan","colSpan","useMap","frameBorder","contentEditable"],function(){n.propFix[this.toLowerCase()]=this}),l.enctype||(n.propFix.enctype="encoding");var Bb=/[\t\r\n\f]/g;function Cb(a){return n.attr(a,"class")||""}n.fn.extend({addClass:function(a){var b,c,d,e,f,g,h,i=0;if(n.isFunction(a))return this.each(function(b){n(this).addClass(a.call(this,b,Cb(this)))});if("string"==typeof a&&a){b=a.match(G)||[];while(c=this[i++])if(e=Cb(c),d=1===c.nodeType&&(" "+e+" ").replace(Bb," ")){g=0;while(f=b[g++])d.indexOf(" "+f+" ")<0&&(d+=f+" ");h=n.trim(d),e!==h&&n.attr(c,"class",h)}}return this},removeClass:function(a){var b,c,d,e,f,g,h,i=0;if(n.isFunction(a))return this.each(function(b){n(this).removeClass(a.call(this,b,Cb(this)))});if(!arguments.length)return this.attr("class","");if("string"==typeof a&&a){b=a.match(G)||[];while(c=this[i++])if(e=Cb(c),d=1===c.nodeType&&(" "+e+" ").replace(Bb," ")){g=0;while(f=b[g++])while(d.indexOf(" "+f+" ")>-1)d=d.replace(" "+f+" "," ");h=n.trim(d),e!==h&&n.attr(c,"class",h)}}return this},toggleClass:function(a,b){var c=typeof a;return"boolean"==typeof b&&"string"===c?b?this.addClass(a):this.removeClass(a):n.isFunction(a)?this.each(function(c){n(this).toggleClass(a.call(this,c,Cb(this),b),b)}):this.each(function(){var b,d,e,f;if("string"===c){d=0,e=n(this),f=a.match(G)||[];while(b=f[d++])e.hasClass(b)?e.removeClass(b):e.addClass(b)}else void 0!==a&&"boolean"!==c||(b=Cb(this),b&&n._data(this,"__className__",b),n.attr(this,"class",b||a===!1?"":n._data(this,"__className__")||""))})},hasClass:function(a){var b,c,d=0;b=" "+a+" ";while(c=this[d++])if(1===c.nodeType&&(" "+Cb(c)+" ").replace(Bb," ").indexOf(b)>-1)return!0;return!1}}),n.each("blur focus focusin focusout load resize scroll unload click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup error contextmenu".split(" "),function(a,b){n.fn[b]=function(a,c){return arguments.length>0?this.on(b,null,a,c):this.trigger(b)}}),n.fn.extend({hover:function(a,b){return this.mouseenter(a).mouseleave(b||a)}});var Db=a.location,Eb=n.now(),Fb=/\?/,Gb=/(,)|(\[|{)|(}|])|"(?:[^"\\\r\n]|\\["\\\/bfnrt]|\\u[\da-fA-F]{4})*"\s*:?|true|false|null|-?(?!0\d)\d+(?:\.\d+|)(?:[eE][+-]?\d+|)/g;n.parseJSON=function(b){if(a.JSON&&a.JSON.parse)return a.JSON.parse(b+"");var c,d=null,e=n.trim(b+"");return e&&!n.trim(e.replace(Gb,function(a,b,e,f){return c&&b&&(d=0),0===d?a:(c=e||b,d+=!f-!e,"")}))?Function("return "+e)():n.error("Invalid JSON: "+b)},n.parseXML=function(b){var c,d;if(!b||"string"!=typeof b)return null;try{a.DOMParser?(d=new a.DOMParser,c=d.parseFromString(b,"text/xml")):(c=new a.ActiveXObject("Microsoft.XMLDOM"),c.async="false",c.loadXML(b))}catch(e){c=void 0}return c&&c.documentElement&&!c.getElementsByTagName("parsererror").length||n.error("Invalid XML: "+b),c};var Hb=/#.*$/,Ib=/([?&])_=[^&]*/,Jb=/^(.*?):[ \t]*([^\r\n]*)\r?$/gm,Kb=/^(?:about|app|app-storage|.+-extension|file|res|widget):$/,Lb=/^(?:GET|HEAD)$/,Mb=/^\/\//,Nb=/^([\w.+-]+:)(?:\/\/(?:[^\/?#]*@|)([^\/?#:]*)(?::(\d+)|)|)/,Ob={},Pb={},Qb="*/".concat("*"),Rb=Db.href,Sb=Nb.exec(Rb.toLowerCase())||[];function Tb(a){return function(b,c){"string"!=typeof b&&(c=b,b="*");var d,e=0,f=b.toLowerCase().match(G)||[];if(n.isFunction(c))while(d=f[e++])"+"===d.charAt(0)?(d=d.slice(1)||"*",(a[d]=a[d]||[]).unshift(c)):(a[d]=a[d]||[]).push(c)}}function Ub(a,b,c,d){var e={},f=a===Pb;function g(h){var i;return e[h]=!0,n.each(a[h]||[],function(a,h){var j=h(b,c,d);return"string"!=typeof j||f||e[j]?f?!(i=j):void 0:(b.dataTypes.unshift(j),g(j),!1)}),i}return g(b.dataTypes[0])||!e["*"]&&g("*")}function Vb(a,b){var c,d,e=n.ajaxSettings.flatOptions||{};for(d in b)void 0!==b[d]&&((e[d]?a:c||(c={}))[d]=b[d]);return c&&n.extend(!0,a,c),a}function Wb(a,b,c){var d,e,f,g,h=a.contents,i=a.dataTypes;while("*"===i[0])i.shift(),void 0===e&&(e=a.mimeType||b.getResponseHeader("Content-Type"));if(e)for(g in h)if(h[g]&&h[g].test(e)){i.unshift(g);break}if(i[0]in c)f=i[0];else{for(g in c){if(!i[0]||a.converters[g+" "+i[0]]){f=g;break}d||(d=g)}f=f||d}return f?(f!==i[0]&&i.unshift(f),c[f]):void 0}function Xb(a,b,c,d){var e,f,g,h,i,j={},k=a.dataTypes.slice();if(k[1])for(g in a.converters)j[g.toLowerCase()]=a.converters[g];f=k.shift();while(f)if(a.responseFields[f]&&(c[a.responseFields[f]]=b),!i&&d&&a.dataFilter&&(b=a.dataFilter(b,a.dataType)),i=f,f=k.shift())if("*"===f)f=i;else if("*"!==i&&i!==f){if(g=j[i+" "+f]||j["* "+f],!g)for(e in j)if(h=e.split(" "),h[1]===f&&(g=j[i+" "+h[0]]||j["* "+h[0]])){g===!0?g=j[e]:j[e]!==!0&&(f=h[0],k.unshift(h[1]));break}if(g!==!0)if(g&&a["throws"])b=g(b);else try{b=g(b)}catch(l){return{state:"parsererror",error:g?l:"No conversion from "+i+" to "+f}}}return{state:"success",data:b}}n.extend({active:0,lastModified:{},etag:{},ajaxSettings:{url:Rb,type:"GET",isLocal:Kb.test(Sb[1]),global:!0,processData:!0,async:!0,contentType:"application/x-www-form-urlencoded; charset=UTF-8",accepts:{"*":Qb,text:"text/plain",html:"text/html",xml:"application/xml, text/xml",json:"application/json, text/javascript"},contents:{xml:/\bxml\b/,html:/\bhtml/,json:/\bjson\b/},responseFields:{xml:"responseXML",text:"responseText",json:"responseJSON"},converters:{"* text":String,"text html":!0,"text json":n.parseJSON,"text xml":n.parseXML},flatOptions:{url:!0,context:!0}},ajaxSetup:function(a,b){return b?Vb(Vb(a,n.ajaxSettings),b):Vb(n.ajaxSettings,a)},ajaxPrefilter:Tb(Ob),ajaxTransport:Tb(Pb),ajax:function(b,c){"object"==typeof b&&(c=b,b=void 0),c=c||{};var d,e,f,g,h,i,j,k,l=n.ajaxSetup({},c),m=l.context||l,o=l.context&&(m.nodeType||m.jquery)?n(m):n.event,p=n.Deferred(),q=n.Callbacks("once memory"),r=l.statusCode||{},s={},t={},u=0,v="canceled",w={readyState:0,getResponseHeader:function(a){var b;if(2===u){if(!k){k={};while(b=Jb.exec(g))k[b[1].toLowerCase()]=b[2]}b=k[a.toLowerCase()]}return null==b?null:b},getAllResponseHeaders:function(){return 2===u?g:null},setRequestHeader:function(a,b){var c=a.toLowerCase();return u||(a=t[c]=t[c]||a,s[a]=b),this},overrideMimeType:function(a){return u||(l.mimeType=a),this},statusCode:function(a){var b;if(a)if(2>u)for(b in a)r[b]=[r[b],a[b]];else w.always(a[w.status]);return this},abort:function(a){var b=a||v;return j&&j.abort(b),y(0,b),this}};if(p.promise(w).complete=q.add,w.success=w.done,w.error=w.fail,l.url=((b||l.url||Rb)+"").replace(Hb,"").replace(Mb,Sb[1]+"//"),l.type=c.method||c.type||l.method||l.type,l.dataTypes=n.trim(l.dataType||"*").toLowerCase().match(G)||[""],null==l.crossDomain&&(d=Nb.exec(l.url.toLowerCase()),l.crossDomain=!(!d||d[1]===Sb[1]&&d[2]===Sb[2]&&(d[3]||("http:"===d[1]?"80":"443"))===(Sb[3]||("http:"===Sb[1]?"80":"443")))),l.data&&l.processData&&"string"!=typeof l.data&&(l.data=n.param(l.data,l.traditional)),Ub(Ob,l,c,w),2===u)return w;i=n.event&&l.global,i&&0===n.active++&&n.event.trigger("ajaxStart"),l.type=l.type.toUpperCase(),l.hasContent=!Lb.test(l.type),f=l.url,l.hasContent||(l.data&&(f=l.url+=(Fb.test(f)?"&":"?")+l.data,delete l.data),l.cache===!1&&(l.url=Ib.test(f)?f.replace(Ib,"$1_="+Eb++):f+(Fb.test(f)?"&":"?")+"_="+Eb++)),l.ifModified&&(n.lastModified[f]&&w.setRequestHeader("If-Modified-Since",n.lastModified[f]),n.etag[f]&&w.setRequestHeader("If-None-Match",n.etag[f])),(l.data&&l.hasContent&&l.contentType!==!1||c.contentType)&&w.setRequestHeader("Content-Type",l.contentType),w.setRequestHeader("Accept",l.dataTypes[0]&&l.accepts[l.dataTypes[0]]?l.accepts[l.dataTypes[0]]+("*"!==l.dataTypes[0]?", "+Qb+"; q=0.01":""):l.accepts["*"]);for(e in l.headers)w.setRequestHeader(e,l.headers[e]);if(l.beforeSend&&(l.beforeSend.call(m,w,l)===!1||2===u))return w.abort();v="abort";for(e in{success:1,error:1,complete:1})w[e](l[e]);if(j=Ub(Pb,l,c,w)){if(w.readyState=1,i&&o.trigger("ajaxSend",[w,l]),2===u)return w;l.async&&l.timeout>0&&(h=a.setTimeout(function(){w.abort("timeout")},l.timeout));try{u=1,j.send(s,y)}catch(x){if(!(2>u))throw x;y(-1,x)}}else y(-1,"No Transport");function y(b,c,d,e){var k,s,t,v,x,y=c;2!==u&&(u=2,h&&a.clearTimeout(h),j=void 0,g=e||"",w.readyState=b>0?4:0,k=b>=200&&300>b||304===b,d&&(v=Wb(l,w,d)),v=Xb(l,v,w,k),k?(l.ifModified&&(x=w.getResponseHeader("Last-Modified"),x&&(n.lastModified[f]=x),x=w.getResponseHeader("etag"),x&&(n.etag[f]=x)),204===b||"HEAD"===l.type?y="nocontent":304===b?y="notmodified":(y=v.state,s=v.data,t=v.error,k=!t)):(t=y,!b&&y||(y="error",0>b&&(b=0))),w.status=b,w.statusText=(c||y)+"",k?p.resolveWith(m,[s,y,w]):p.rejectWith(m,[w,y,t]),w.statusCode(r),r=void 0,i&&o.trigger(k?"ajaxSuccess":"ajaxError",[w,l,k?s:t]),q.fireWith(m,[w,y]),i&&(o.trigger("ajaxComplete",[w,l]),--n.active||n.event.trigger("ajaxStop")))}return w},getJSON:function(a,b,c){return n.get(a,b,c,"json")},getScript:function(a,b){return n.get(a,void 0,b,"script")}}),n.each(["get","post"],function(a,b){n[b]=function(a,c,d,e){return n.isFunction(c)&&(e=e||d,d=c,c=void 0),n.ajax(n.extend({url:a,type:b,dataType:e,data:c,success:d},n.isPlainObject(a)&&a))}}),n._evalUrl=function(a){return n.ajax({url:a,type:"GET",dataType:"script",cache:!0,async:!1,global:!1,"throws":!0})},n.fn.extend({wrapAll:function(a){if(n.isFunction(a))return this.each(function(b){n(this).wrapAll(a.call(this,b))});if(this[0]){var b=n(a,this[0].ownerDocument).eq(0).clone(!0);this[0].parentNode&&b.insertBefore(this[0]),b.map(function(){var a=this;while(a.firstChild&&1===a.firstChild.nodeType)a=a.firstChild;return a}).append(this)}return this},wrapInner:function(a){return n.isFunction(a)?this.each(function(b){n(this).wrapInner(a.call(this,b))}):this.each(function(){var b=n(this),c=b.contents();c.length?c.wrapAll(a):b.append(a)})},wrap:function(a){var b=n.isFunction(a);return this.each(function(c){n(this).wrapAll(b?a.call(this,c):a)})},unwrap:function(){return this.parent().each(function(){n.nodeName(this,"body")||n(this).replaceWith(this.childNodes)}).end()}});function Yb(a){return a.style&&a.style.display||n.css(a,"display")}function Zb(a){if(!n.contains(a.ownerDocument||d,a))return!0;while(a&&1===a.nodeType){if("none"===Yb(a)||"hidden"===a.type)return!0;a=a.parentNode}return!1}n.expr.filters.hidden=function(a){return l.reliableHiddenOffsets()?a.offsetWidth<=0&&a.offsetHeight<=0&&!a.getClientRects().length:Zb(a)},n.expr.filters.visible=function(a){return!n.expr.filters.hidden(a)};var $b=/%20/g,_b=/\[\]$/,ac=/\r?\n/g,bc=/^(?:submit|button|image|reset|file)$/i,cc=/^(?:input|select|textarea|keygen)/i;function dc(a,b,c,d){var e;if(n.isArray(b))n.each(b,function(b,e){c||_b.test(a)?d(a,e):dc(a+"["+("object"==typeof e&&null!=e?b:"")+"]",e,c,d)});else if(c||"object"!==n.type(b))d(a,b);else for(e in b)dc(a+"["+e+"]",b[e],c,d)}n.param=function(a,b){var c,d=[],e=function(a,b){b=n.isFunction(b)?b():null==b?"":b,d[d.length]=encodeURIComponent(a)+"="+encodeURIComponent(b)};if(void 0===b&&(b=n.ajaxSettings&&n.ajaxSettings.traditional),n.isArray(a)||a.jquery&&!n.isPlainObject(a))n.each(a,function(){e(this.name,this.value)});else for(c in a)dc(c,a[c],b,e);return d.join("&").replace($b,"+")},n.fn.extend({serialize:function(){return n.param(this.serializeArray())},serializeArray:function(){return this.map(function(){var a=n.prop(this,"elements");return a?n.makeArray(a):this}).filter(function(){var a=this.type;return this.name&&!n(this).is(":disabled")&&cc.test(this.nodeName)&&!bc.test(a)&&(this.checked||!Z.test(a))}).map(function(a,b){var c=n(this).val();return null==c?null:n.isArray(c)?n.map(c,function(a){return{name:b.name,value:a.replace(ac,"\r\n")}}):{name:b.name,value:c.replace(ac,"\r\n")}}).get()}}),n.ajaxSettings.xhr=void 0!==a.ActiveXObject?function(){return this.isLocal?ic():d.documentMode>8?hc():/^(get|post|head|put|delete|options)$/i.test(this.type)&&hc()||ic()}:hc;var ec=0,fc={},gc=n.ajaxSettings.xhr();a.attachEvent&&a.attachEvent("onunload",function(){for(var a in fc)fc[a](void 0,!0)}),l.cors=!!gc&&"withCredentials"in gc,gc=l.ajax=!!gc,gc&&n.ajaxTransport(function(b){if(!b.crossDomain||l.cors){var c;return{send:function(d,e){var f,g=b.xhr(),h=++ec;if(g.open(b.type,b.url,b.async,b.username,b.password),b.xhrFields)for(f in b.xhrFields)g[f]=b.xhrFields[f];b.mimeType&&g.overrideMimeType&&g.overrideMimeType(b.mimeType),b.crossDomain||d["X-Requested-With"]||(d["X-Requested-With"]="XMLHttpRequest");for(f in d)void 0!==d[f]&&g.setRequestHeader(f,d[f]+"");g.send(b.hasContent&&b.data||null),c=function(a,d){var f,i,j;if(c&&(d||4===g.readyState))if(delete fc[h],c=void 0,g.onreadystatechange=n.noop,d)4!==g.readyState&&g.abort();else{j={},f=g.status,"string"==typeof g.responseText&&(j.text=g.responseText);try{i=g.statusText}catch(k){i=""}f||!b.isLocal||b.crossDomain?1223===f&&(f=204):f=j.text?200:404}j&&e(f,i,j,g.getAllResponseHeaders())},b.async?4===g.readyState?a.setTimeout(c):g.onreadystatechange=fc[h]=c:c()},abort:function(){c&&c(void 0,!0)}}}});function hc(){try{return new a.XMLHttpRequest}catch(b){}}function ic(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}n.ajaxSetup({accepts:{script:"text/javascript, application/javascript, application/ecmascript, application/x-ecmascript"},contents:{script:/\b(?:java|ecma)script\b/},converters:{"text script":function(a){return n.globalEval(a),a}}}),n.ajaxPrefilter("script",function(a){void 0===a.cache&&(a.cache=!1),a.crossDomain&&(a.type="GET",a.global=!1)}),n.ajaxTransport("script",function(a){if(a.crossDomain){var b,c=d.head||n("head")[0]||d.documentElement;return{send:function(e,f){b=d.createElement("script"),b.async=!0,a.scriptCharset&&(b.charset=a.scriptCharset),b.src=a.url,b.onload=b.onreadystatechange=function(a,c){(c||!b.readyState||/loaded|complete/.test(b.readyState))&&(b.onload=b.onreadystatechange=null,b.parentNode&&b.parentNode.removeChild(b),b=null,c||f(200,"success"))},c.insertBefore(b,c.firstChild)},abort:function(){b&&b.onload(void 0,!0)}}}});var jc=[],kc=/(=)\?(?=&|$)|\?\?/;n.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var a=jc.pop()||n.expando+"_"+Eb++;return this[a]=!0,a}}),n.ajaxPrefilter("json jsonp",function(b,c,d){var e,f,g,h=b.jsonp!==!1&&(kc.test(b.url)?"url":"string"==typeof b.data&&0===(b.contentType||"").indexOf("application/x-www-form-urlencoded")&&kc.test(b.data)&&"data");return h||"jsonp"===b.dataTypes[0]?(e=b.jsonpCallback=n.isFunction(b.jsonpCallback)?b.jsonpCallback():b.jsonpCallback,h?b[h]=b[h].replace(kc,"$1"+e):b.jsonp!==!1&&(b.url+=(Fb.test(b.url)?"&":"?")+b.jsonp+"="+e),b.converters["script json"]=function(){return g||n.error(e+" was not called"),g[0]},b.dataTypes[0]="json",f=a[e],a[e]=function(){g=arguments},d.always(function(){void 0===f?n(a).removeProp(e):a[e]=f,b[e]&&(b.jsonpCallback=c.jsonpCallback,jc.push(e)),g&&n.isFunction(f)&&f(g[0]),g=f=void 0}),"script"):void 0}),n.parseHTML=function(a,b,c){if(!a||"string"!=typeof a)return null;"boolean"==typeof b&&(c=b,b=!1),b=b||d;var e=x.exec(a),f=!c&&[];return e?[b.createElement(e[1])]:(e=ja([a],b,f),f&&f.length&&n(f).remove(),n.merge([],e.childNodes))};var lc=n.fn.load;n.fn.load=function(a,b,c){if("string"!=typeof a&&lc)return lc.apply(this,arguments);var d,e,f,g=this,h=a.indexOf(" ");return h>-1&&(d=n.trim(a.slice(h,a.length)),a=a.slice(0,h)),n.isFunction(b)?(c=b,b=void 0):b&&"object"==typeof b&&(e="POST"),g.length>0&&n.ajax({url:a,type:e||"GET",dataType:"html",data:b}).done(function(a){f=arguments,g.html(d?n("<div>").append(n.parseHTML(a)).find(d):a)}).always(c&&function(a,b){g.each(function(){c.apply(this,f||[a.responseText,b,a])})}),this},n.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(a,b){n.fn[b]=function(a){return this.on(b,a)}}),n.expr.filters.animated=function(a){return n.grep(n.timers,function(b){return a===b.elem}).length};function mc(a){return n.isWindow(a)?a:9===a.nodeType?a.defaultView||a.parentWindow:!1}n.offset={setOffset:function(a,b,c){var d,e,f,g,h,i,j,k=n.css(a,"position"),l=n(a),m={};"static"===k&&(a.style.position="relative"),h=l.offset(),f=n.css(a,"top"),i=n.css(a,"left"),j=("absolute"===k||"fixed"===k)&&n.inArray("auto",[f,i])>-1,j?(d=l.position(),g=d.top,e=d.left):(g=parseFloat(f)||0,e=parseFloat(i)||0),n.isFunction(b)&&(b=b.call(a,c,n.extend({},h))),null!=b.top&&(m.top=b.top-h.top+g),null!=b.left&&(m.left=b.left-h.left+e),"using"in b?b.using.call(a,m):l.css(m)}},n.fn.extend({offset:function(a){if(arguments.length)return void 0===a?this:this.each(function(b){n.offset.setOffset(this,a,b)});var b,c,d={top:0,left:0},e=this[0],f=e&&e.ownerDocument;if(f)return b=f.documentElement,n.contains(b,e)?("undefined"!=typeof e.getBoundingClientRect&&(d=e.getBoundingClientRect()),c=mc(f),{top:d.top+(c.pageYOffset||b.scrollTop)-(b.clientTop||0),left:d.left+(c.pageXOffset||b.scrollLeft)-(b.clientLeft||0)}):d},position:function(){if(this[0]){var a,b,c={top:0,left:0},d=this[0];return"fixed"===n.css(d,"position")?b=d.getBoundingClientRect():(a=this.offsetParent(),b=this.offset(),n.nodeName(a[0],"html")||(c=a.offset()),c.top+=n.css(a[0],"borderTopWidth",!0),c.left+=n.css(a[0],"borderLeftWidth",!0)),{top:b.top-c.top-n.css(d,"marginTop",!0),left:b.left-c.left-n.css(d,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var a=this.offsetParent;while(a&&!n.nodeName(a,"html")&&"static"===n.css(a,"position"))a=a.offsetParent;return a||Qa})}}),n.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(a,b){var c=/Y/.test(b);n.fn[a]=function(d){return Y(this,function(a,d,e){var f=mc(a);return void 0===e?f?b in f?f[b]:f.document.documentElement[d]:a[d]:void(f?f.scrollTo(c?n(f).scrollLeft():e,c?e:n(f).scrollTop()):a[d]=e)},a,d,arguments.length,null)}}),n.each(["top","left"],function(a,b){n.cssHooks[b]=Ua(l.pixelPosition,function(a,c){return c?(c=Sa(a,b),Oa.test(c)?n(a).position()[b]+"px":c):void 0})}),n.each({Height:"height",Width:"width"},function(a,b){n.each({ padding:"inner"+a,content:b,"":"outer"+a},function(c,d){n.fn[d]=function(d,e){var f=arguments.length&&(c||"boolean"!=typeof d),g=c||(d===!0||e===!0?"margin":"border");return Y(this,function(b,c,d){var e;return n.isWindow(b)?b.document.documentElement["client"+a]:9===b.nodeType?(e=b.documentElement,Math.max(b.body["scroll"+a],e["scroll"+a],b.body["offset"+a],e["offset"+a],e["client"+a])):void 0===d?n.css(b,c,g):n.style(b,c,d,g)},b,f?d:void 0,f,null)}})}),n.fn.extend({bind:function(a,b,c){return this.on(a,null,b,c)},unbind:function(a,b){return this.off(a,null,b)},delegate:function(a,b,c,d){return this.on(b,a,c,d)},undelegate:function(a,b,c){return 1===arguments.length?this.off(a,"**"):this.off(b,a||"**",c)}}),n.fn.size=function(){return this.length},n.fn.andSelf=n.fn.addBack,"function"==typeof define&&define.amd&&define("jquery",[],function(){return n});var nc=a.jQuery,oc=a.$;return n.noConflict=function(b){return a.$===n&&(a.$=oc),b&&a.jQuery===n&&(a.jQuery=nc),n},b||(a.jQuery=a.$=n),n}); (function(c){var b,d,a;b=(function(){function e(h,f,g){var j;this.row=h;this.tree=f;this.settings=g;this.id=this.row.data(this.settings.nodeIdAttr);j=this.row.data(this.settings.parentIdAttr);if(j!=null&&j!==""){this.parentId=j}this.treeCell=c(this.row.children(this.settings.columnElType)[this.settings.column]);this.expander=c(this.settings.expanderTemplate);this.indenter=c(this.settings.indenterTemplate);this.children=[];this.initialized=false;this.treeCell.prepend(this.indenter)}e.prototype.addChild=function(f){return this.children.push(f)};e.prototype.ancestors=function(){var f,g;g=this;f=[];while(g=g.parentNode()){f.push(g)}return f};e.prototype.collapse=function(){if(this.collapsed()){return this}this.row.removeClass("expanded").addClass("collapsed");this._hideChildren();this.expander.attr("title",this.settings.stringExpand);if(this.initialized&&this.settings.onNodeCollapse!=null){this.settings.onNodeCollapse.apply(this)}return this};e.prototype.collapsed=function(){return this.row.hasClass("collapsed")};e.prototype.expand=function(){if(this.expanded()){return this}this.row.removeClass("collapsed").addClass("expanded");if(this.initialized&&this.settings.onNodeExpand!=null){this.settings.onNodeExpand.apply(this)}if(c(this.row).is(":visible")){this._showChildren()}this.expander.attr("title",this.settings.stringCollapse);return this};e.prototype.expanded=function(){return this.row.hasClass("expanded")};e.prototype.hide=function(){this._hideChildren();this.row.hide();return this};e.prototype.isBranchNode=function(){if(this.children.length>0||this.row.data(this.settings.branchAttr)===true){return true}else{return false}};e.prototype.updateBranchLeafClass=function(){this.row.removeClass("branch");this.row.removeClass("leaf");this.row.addClass(this.isBranchNode()?"branch":"leaf")};e.prototype.level=function(){return this.ancestors().length};e.prototype.parentNode=function(){if(this.parentId!=null){return this.tree[this.parentId]}else{return null}};e.prototype.removeChild=function(g){var f=c.inArray(g,this.children);return this.children.splice(f,1)};e.prototype.render=function(){var g,f=this.settings,h;if(f.expandable===true&&this.isBranchNode()){g=function(j){c(this).parents("table").treetable("node",c(this).parents("tr").data(f.nodeIdAttr)).toggle();return j.preventDefault()};this.indenter.html(this.expander);h=f.clickableNodeNames===true?this.treeCell:this.expander;h.off("click.treetable").on("click.treetable",g);h.off("keydown.treetable").on("keydown.treetable",function(j){if(j.keyCode==13){g.apply(this,[j])}})}this.indenter[0].style.paddingLeft=""+(this.level()*f.indent)+"px";return this};e.prototype.reveal=function(){if(this.parentId!=null){this.parentNode().reveal()}return this.expand()};e.prototype.setParent=function(f){if(this.parentId!=null){this.tree[this.parentId].removeChild(this)}this.parentId=f.id;this.row.data(this.settings.parentIdAttr,f.id);return f.addChild(this)};e.prototype.show=function(){if(!this.initialized){this._initialize()}this.row.show();if(this.expanded()){this._showChildren()}return this};e.prototype.toggle=function(){if(this.expanded()){this.collapse()}else{this.expand()}return this};e.prototype._hideChildren=function(){var k,j,g,h,f;h=this.children;f=[];for(j=0,g=h.length;j<g;j++){k=h[j];f.push(k.hide())}return f};e.prototype._initialize=function(){var f=this.settings;this.render();if(f.expandable===true&&f.initialState==="collapsed"){this.collapse()}else{this.expand()}if(f.onNodeInitialized!=null){f.onNodeInitialized.apply(this)}return this.initialized=true};e.prototype._showChildren=function(){var k,j,g,h,f;h=this.children;f=[];for(j=0,g=h.length;j<g;j++){k=h[j];f.push(k.show())}return f};return e})();d=(function(){function e(g,f){this.table=g;this.settings=f;this.tree={};this.nodes=[];this.roots=[]}e.prototype.collapseAll=function(){var h,k,g,j,f;j=this.nodes;f=[];for(k=0,g=j.length;k<g;k++){h=j[k];f.push(h.collapse())}return f};e.prototype.expandAll=function(){var h,k,g,j,f;j=this.nodes;f=[];for(k=0,g=j.length;k<g;k++){h=j[k];f.push(h.expand())}return f};e.prototype.findLastNode=function(f){if(f.children.length>0){return this.findLastNode(f.children[f.children.length-1])}else{return f}};e.prototype.loadRows=function(h){var g,j,f;if(h!=null){for(f=0;f<h.length;f++){j=c(h[f]);if(j.data(this.settings.nodeIdAttr)!=null){g=new b(j,this.tree,this.settings);this.nodes.push(g);this.tree[g.id]=g;if(g.parentId!=null&&this.tree[g.parentId]){this.tree[g.parentId].addChild(g)}else{this.roots.push(g)}}}}for(f=0;f<this.nodes.length;f++){g=this.nodes[f].updateBranchLeafClass()}return this};e.prototype.move=function(h,f){var g=h.parentNode();if(h!==f&&f.id!==h.parentId&&c.inArray(h,f.ancestors())===-1){h.setParent(f);this._moveRows(h,f);if(h.parentNode().children.length===1){h.parentNode().render()}}if(g){g.updateBranchLeafClass()}if(h.parentNode()){h.parentNode().updateBranchLeafClass()}h.updateBranchLeafClass();return this};e.prototype.removeNode=function(f){this.unloadBranch(f);f.row.remove();if(f.parentId!=null){f.parentNode().removeChild(f)}delete this.tree[f.id];this.nodes.splice(c.inArray(f,this.nodes),1);return this};e.prototype.render=function(){var g,j,f,h;h=this.roots;for(j=0,f=h.length;j<f;j++){g=h[j];g.show()}return this};e.prototype.sortBranch=function(g,f){g.children.sort(f);this._sortChildRows(g);return this};e.prototype.unloadBranch=function(h){var g=h.children.slice(0),f;for(f=0;f<g.length;f++){this.removeNode(g[f])}h.children=[];h.updateBranchLeafClass();return this};e.prototype._moveRows=function(j,f){var h=j.children,g;j.row.insertAfter(f.row);j.render();for(g=h.length-1;g>=0;g--){this._moveRows(h[g],j)}};e.prototype._sortChildRows=function(f){return this._moveRows(f,f)};return e})();a={init:function(e,g){var f;f=c.extend({branchAttr:"ttBranch",clickableNodeNames:false,column:0,columnElType:"td",expandable:false,expanderTemplate:"<a href='#'> </a>",indent:19,indenterTemplate:"<span class='indenter'></span>",initialState:"collapsed",nodeIdAttr:"ttId",parentIdAttr:"ttParentId",stringExpand:"Expand",stringCollapse:"Collapse",onInitialized:null,onNodeCollapse:null,onNodeExpand:null,onNodeInitialized:null},e);return this.each(function(){var j=c(this),h;if(g||j.data("treetable")===undefined){h=new d(this,f);h.loadRows(this.rows).render();j.addClass("treetable").data("treetable",h);if(f.onInitialized!=null){f.onInitialized.apply(h)}}return j})},destroy:function(){return this.each(function(){return c(this).removeData("treetable").removeClass("treetable")})},collapseAll:function(){this.data("treetable").collapseAll();return this},collapseNode:function(f){var e=this.data("treetable").tree[f];if(e){e.collapse()}else{throw new Error("Unknown node '"+f+"'")}return this},expandAll:function(){this.data("treetable").expandAll();return this},expandNode:function(f){var e=this.data("treetable").tree[f];if(e){if(!e.initialized){e._initialize()}e.expand()}else{throw new Error("Unknown node '"+f+"'")}return this},loadBranch:function(h,j){var f=this.data("treetable").settings,e=this.data("treetable").tree;j=c(j);if(h==null){this.append(j)}else{var g=this.data("treetable").findLastNode(h);j.insertAfter(g.row)}this.data("treetable").loadRows(j);j.filter("tr").each(function(){e[c(this).data(f.nodeIdAttr)].show()});if(h!=null){h.render().expand()}return this},move:function(h,g){var e,f;f=this.data("treetable").tree[h];e=this.data("treetable").tree[g];this.data("treetable").move(f,e);return this},node:function(e){return this.data("treetable").tree[e]},removeNode:function(f){var e=this.data("treetable").tree[f];if(e){this.data("treetable").removeNode(e)}else{throw new Error("Unknown node '"+f+"'")}return this},reveal:function(f){var e=this.data("treetable").tree[f];if(e){e.reveal()}else{throw new Error("Unknown node '"+f+"'")}return this},sortBranch:function(j,g){var h=this.data("treetable").settings,f,e;g=g||h.column;e=g;if(c.isNumeric(g)){e=function(m,k){var o,n,l;o=function(p){var q=p.row.find("td:eq("+g+")").text();return c.trim(q).toUpperCase()};n=o(m);l=o(k);if(n<l){return -1}if(n>l){return 1}return 0}}this.data("treetable").sortBranch(j,e);return this},unloadBranch:function(e){this.data("treetable").unloadBranch(e);return this}};c.fn.treetable=function(e){if(a[e]){return a[e].apply(this,Array.prototype.slice.call(arguments,1))}else{if(typeof e==="object"||!e){return a.init.apply(this,arguments)}else{return c.error("Method "+e+" does not exist on jQuery.treetable")}}};this.TreeTable||(this.TreeTable={});this.TreeTable.Node=b;this.TreeTable.Tree=d})(jQuery); /*! * Bootstrap v3.3.7 (http://getbootstrap.com) * Copyright 2011-2016 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */ ; /*! * Generated using the Bootstrap Customizer (https://getbootstrap.com/customize/?id=8160adef040364fa8f688f6065765caf) * Config saved to config.json and https://gist.github.com/8160adef040364fa8f688f6065765caf */ ;if("undefined"==typeof jQuery){throw new Error("Bootstrap's JavaScript requires jQuery")}+function(a){var b=a.fn.jquery.split(" ")[0].split(".");if(b[0]<2&&b[1]<9||1==b[0]&&9==b[1]&&b[2]<1||b[0]>3){throw new Error("Bootstrap's JavaScript requires jQuery version 1.9.1 or higher, but lower than version 4")}}(jQuery),+function(b){function c(g){return this.each(function(){var e=b(this),h=e.data("bs.alert");h||e.data("bs.alert",h=new f(this)),"string"==typeof g&&h[g].call(e)})}var a='[data-dismiss="alert"]',f=function(g){b(g).on("click",a,this.close)};f.VERSION="3.3.7",f.TRANSITION_DURATION=150,f.prototype.close=function(k){function h(){g.detach().trigger("closed.bs.alert").remove()}var l=b(this),j=l.attr("data-target");j||(j=l.attr("href"),j=j&&j.replace(/.*(?=#[^\s]*$)/,""));var g=b("#"===j?[]:j);k&&k.preventDefault(),g.length||(g=l.closest(".alert")),g.trigger(k=b.Event("close.bs.alert")),k.isDefaultPrevented()||(g.removeClass("in"),b.support.transition&&g.hasClass("fade")?g.one("bsTransitionEnd",h).emulateTransitionEnd(f.TRANSITION_DURATION):h())};var d=b.fn.alert;b.fn.alert=c,b.fn.alert.Constructor=f,b.fn.alert.noConflict=function(){return b.fn.alert=d,this},b(document).on("click.bs.alert.data-api",a,f.prototype.close)}(jQuery),+function(d){function h(l){var a=l.attr("data-target");a||(a=l.attr("href"),a=a&&/#[A-Za-z]/.test(a)&&a.replace(/.*(?=#[^\s]*$)/,""));var m=a&&d(a);return m&&m.length?m:l.parent()}function c(a){a&&3===a.which||(d(j).remove(),d(f).each(function(){var m=d(this),l=h(m),e={relatedTarget:this};l.hasClass("open")&&(a&&"click"==a.type&&/input|textarea/i.test(a.target.tagName)&&d.contains(l[0],a.target)||(l.trigger(a=d.Event("hide.bs.dropdown",e)),a.isDefaultPrevented()||(m.attr("aria-expanded","false"),l.removeClass("open").trigger(d.Event("hidden.bs.dropdown",e)))))}))}function k(a){return this.each(function(){var e=d(this),l=e.data("bs.dropdown");l||e.data("bs.dropdown",l=new b(this)),"string"==typeof a&&l[a].call(e)})}var j=".dropdown-backdrop",f='[data-toggle="dropdown"]',b=function(a){d(a).on("click.bs.dropdown",this.toggle)};b.VERSION="3.3.7",b.prototype.toggle=function(q){var p=d(this);if(!p.is(".disabled, :disabled")){var l=h(p),e=l.hasClass("open");if(c(),!e){"ontouchstart" in document.documentElement&&!l.closest(".navbar-nav").length&&d(document.createElement("div")).addClass("dropdown-backdrop").insertAfter(d(this)).on("click",c);var m={relatedTarget:this};if(l.trigger(q=d.Event("show.bs.dropdown",m)),q.isDefaultPrevented()){return}p.trigger("focus").attr("aria-expanded","true"),l.toggleClass("open").trigger(d.Event("shown.bs.dropdown",m))}return !1}},b.prototype.keydown=function(p){if(/(38|40|27|32)/.test(p.which)&&!/input|textarea/i.test(p.target.tagName)){var u=d(this);if(p.preventDefault(),p.stopPropagation(),!u.is(".disabled, :disabled")){var t=h(u),m=t.hasClass("open");if(!m&&27!=p.which||m&&27==p.which){return 27==p.which&&t.find(f).trigger("focus"),u.trigger("click")}var q=" li:not(.disabled):visible a",s=t.find(".dropdown-menu"+q);if(s.length){var e=s.index(p.target);38==p.which&&e>0&&e--,40==p.which&&e<s.length-1&&e++,~e||(e=0),s.eq(e).trigger("focus")}}}};var g=d.fn.dropdown;d.fn.dropdown=k,d.fn.dropdown.Constructor=b,d.fn.dropdown.noConflict=function(){return d.fn.dropdown=g,this},d(document).on("click.bs.dropdown.data-api",c).on("click.bs.dropdown.data-api",".dropdown form",function(a){a.stopPropagation()}).on("click.bs.dropdown.data-api",f,b.prototype.toggle).on("keydown.bs.dropdown.data-api",f,b.prototype.keydown).on("keydown.bs.dropdown.data-api",".dropdown-menu",b.prototype.keydown)}(jQuery),+function(b){function c(f,g){return this.each(function(){var j=b(this),h=j.data("bs.modal"),e=b.extend({},a.DEFAULTS,j.data(),"object"==typeof f&&f);h||j.data("bs.modal",h=new a(this,e)),"string"==typeof f?h[f](g):e.show&&h.show(g)})}var a=function(g,f){this.options=f,this.$body=b(document.body),this.$element=b(g),this.$dialog=this.$element.find(".modal-dialog"),this.$backdrop=null,this.isShown=null,this.originalBodyPad=null,this.scrollbarWidth=0,this.ignoreBackdropClick=!1,this.options.remote&&this.$element.find(".modal-content").load(this.options.remote,b.proxy(function(){this.$element.trigger("loaded.bs.modal")},this))};a.VERSION="3.3.7",a.TRANSITION_DURATION=300,a.BACKDROP_TRANSITION_DURATION=150,a.DEFAULTS={backdrop:!0,keyboard:!0,show:!0},a.prototype.toggle=function(e){return this.isShown?this.hide():this.show(e)},a.prototype.show=function(f){var h=this,g=b.Event("show.bs.modal",{relatedTarget:f});this.$element.trigger(g),this.isShown||g.isDefaultPrevented()||(this.isShown=!0,this.checkScrollbar(),this.setScrollbar(),this.$body.addClass("modal-open"),this.escape(),this.resize(),this.$element.on("click.dismiss.bs.modal",'[data-dismiss="modal"]',b.proxy(this.hide,this)),this.$dialog.on("mousedown.dismiss.bs.modal",function(){h.$element.one("mouseup.dismiss.bs.modal",function(j){b(j.target).is(h.$element)&&(h.ignoreBackdropClick=!0)})}),this.backdrop(function(){var j=b.support.transition&&h.$element.hasClass("fade");h.$element.parent().length||h.$element.appendTo(h.$body),h.$element.show().scrollTop(0),h.adjustDialog(),j&&h.$element[0].offsetWidth,h.$element.addClass("in"),h.enforceFocus();var e=b.Event("shown.bs.modal",{relatedTarget:f});j?h.$dialog.one("bsTransitionEnd",function(){h.$element.trigger("focus").trigger(e)}).emulateTransitionEnd(a.TRANSITION_DURATION):h.$element.trigger("focus").trigger(e)}))},a.prototype.hide=function(f){f&&f.preventDefault(),f=b.Event("hide.bs.modal"),this.$element.trigger(f),this.isShown&&!f.isDefaultPrevented()&&(this.isShown=!1,this.escape(),this.resize(),b(document).off("focusin.bs.modal"),this.$element.removeClass("in").off("click.dismiss.bs.modal").off("mouseup.dismiss.bs.modal"),this.$dialog.off("mousedown.dismiss.bs.modal"),b.support.transition&&this.$element.hasClass("fade")?this.$element.one("bsTransitionEnd",b.proxy(this.hideModal,this)).emulateTransitionEnd(a.TRANSITION_DURATION):this.hideModal())},a.prototype.enforceFocus=function(){b(document).off("focusin.bs.modal").on("focusin.bs.modal",b.proxy(function(e){document===e.target||this.$element[0]===e.target||this.$element.has(e.target).length||this.$element.trigger("focus")},this))},a.prototype.escape=function(){this.isShown&&this.options.keyboard?this.$element.on("keydown.dismiss.bs.modal",b.proxy(function(e){27==e.which&&this.hide()},this)):this.isShown||this.$element.off("keydown.dismiss.bs.modal")},a.prototype.resize=function(){this.isShown?b(window).on("resize.bs.modal",b.proxy(this.handleUpdate,this)):b(window).off("resize.bs.modal")},a.prototype.hideModal=function(){var e=this;this.$element.hide(),this.backdrop(function(){e.$body.removeClass("modal-open"),e.resetAdjustments(),e.resetScrollbar(),e.$element.trigger("hidden.bs.modal")})},a.prototype.removeBackdrop=function(){this.$backdrop&&this.$backdrop.remove(),this.$backdrop=null},a.prototype.backdrop=function(h){var k=this,j=this.$element.hasClass("fade")?"fade":"";if(this.isShown&&this.options.backdrop){var g=b.support.transition&&j;if(this.$backdrop=b(document.createElement("div")).addClass("modal-backdrop "+j).appendTo(this.$body),this.$element.on("click.dismiss.bs.modal",b.proxy(function(e){return this.ignoreBackdropClick?void (this.ignoreBackdropClick=!1):void (e.target===e.currentTarget&&("static"==this.options.backdrop?this.$element[0].focus():this.hide()))},this)),g&&this.$backdrop[0].offsetWidth,this.$backdrop.addClass("in"),!h){return}g?this.$backdrop.one("bsTransitionEnd",h).emulateTransitionEnd(a.BACKDROP_TRANSITION_DURATION):h()}else{if(!this.isShown&&this.$backdrop){this.$backdrop.removeClass("in");var f=function(){k.removeBackdrop(),h&&h()};b.support.transition&&this.$element.hasClass("fade")?this.$backdrop.one("bsTransitionEnd",f).emulateTransitionEnd(a.BACKDROP_TRANSITION_DURATION):f()}else{h&&h()}}},a.prototype.handleUpdate=function(){this.adjustDialog()},a.prototype.adjustDialog=function(){var e=this.$element[0].scrollHeight>document.documentElement.clientHeight;this.$element.css({paddingLeft:!this.bodyIsOverflowing&&e?this.scrollbarWidth:"",paddingRight:this.bodyIsOverflowing&&!e?this.scrollbarWidth:""})},a.prototype.resetAdjustments=function(){this.$element.css({paddingLeft:"",paddingRight:""})},a.prototype.checkScrollbar=function(){var f=window.innerWidth;if(!f){var g=document.documentElement.getBoundingClientRect();f=g.right-Math.abs(g.left)}this.bodyIsOverflowing=document.body.clientWidth<f,this.scrollbarWidth=this.measureScrollbar()},a.prototype.setScrollbar=function(){var e=parseInt(this.$body.css("padding-right")||0,10);this.originalBodyPad=document.body.style.paddingRight||"",this.bodyIsOverflowing&&this.$body.css("padding-right",e+this.scrollbarWidth)},a.prototype.resetScrollbar=function(){this.$body.css("padding-right",this.originalBodyPad)},a.prototype.measureScrollbar=function(){var f=document.createElement("div");f.className="modal-scrollbar-measure",this.$body.append(f);var g=f.offsetWidth-f.clientWidth;return this.$body[0].removeChild(f),g};var d=b.fn.modal;b.fn.modal=c,b.fn.modal.Constructor=a,b.fn.modal.noConflict=function(){return b.fn.modal=d,this},b(document).on("click.bs.modal.data-api",'[data-toggle="modal"]',function(f){var j=b(this),h=j.attr("href"),g=b(j.attr("data-target")||h&&h.replace(/.*(?=#[^\s]+$)/,"")),e=g.data("bs.modal")?"toggle":b.extend({remote:!/#/.test(h)&&h},g.data(),j.data());j.is("a")&&f.preventDefault(),g.one("show.bs.modal",function(k){k.isDefaultPrevented()||g.one("hidden.bs.modal",function(){j.is(":visible")&&j.trigger("focus")})}),c.call(g,e,this)})}(jQuery),+function(b){function c(h){var g,j=h.attr("data-target")||(g=h.attr("href"))&&g.replace(/.*(?=#[^\s]+$)/,"");return b(j)}function a(g){return this.each(function(){var e=b(this),j=e.data("bs.collapse"),h=b.extend({},f.DEFAULTS,e.data(),"object"==typeof g&&g);!j&&h.toggle&&/show|hide/.test(g)&&(h.toggle=!1),j||e.data("bs.collapse",j=new f(this,h)),"string"==typeof g&&j[g]()})}var f=function(h,g){this.$element=b(h),this.options=b.extend({},f.DEFAULTS,g),this.$trigger=b('[data-toggle="collapse"][href="#'+h.id+'"],[data-toggle="collapse"][data-target="#'+h.id+'"]'),this.transitioning=null,this.options.parent?this.$parent=this.getParent():this.addAriaAndCollapsedClass(this.$element,this.$trigger),this.options.toggle&&this.toggle()};f.VERSION="3.3.7",f.TRANSITION_DURATION=350,f.DEFAULTS={toggle:!0},f.prototype.dimension=function(){var e=this.$element.hasClass("width");return e?"width":"height"},f.prototype.show=function(){if(!this.transitioning&&!this.$element.hasClass("in")){var k,m=this.$parent&&this.$parent.children(".panel").children(".in, .collapsing");if(!(m&&m.length&&(k=m.data("bs.collapse"),k&&k.transitioning))){var h=b.Event("show.bs.collapse");if(this.$element.trigger(h),!h.isDefaultPrevented()){m&&m.length&&(a.call(m,"hide"),k||m.data("bs.collapse",null));var g=this.dimension();this.$element.removeClass("collapse").addClass("collapsing")[g](0).attr("aria-expanded",!0),this.$trigger.removeClass("collapsed").attr("aria-expanded",!0),this.transitioning=1;var j=function(){this.$element.removeClass("collapsing").addClass("collapse in")[g](""),this.transitioning=0,this.$element.trigger("shown.bs.collapse")};if(!b.support.transition){return j.call(this)}var l=b.camelCase(["scroll",g].join("-"));this.$element.one("bsTransitionEnd",b.proxy(j,this)).emulateTransitionEnd(f.TRANSITION_DURATION)[g](this.$element[0][l])}}}},f.prototype.hide=function(){if(!this.transitioning&&this.$element.hasClass("in")){var h=b.Event("hide.bs.collapse");if(this.$element.trigger(h),!h.isDefaultPrevented()){var g=this.dimension();this.$element[g](this.$element[g]())[0].offsetHeight,this.$element.addClass("collapsing").removeClass("collapse in").attr("aria-expanded",!1),this.$trigger.addClass("collapsed").attr("aria-expanded",!1),this.transitioning=1;var j=function(){this.transitioning=0,this.$element.removeClass("collapsing").addClass("collapse").trigger("hidden.bs.collapse")};return b.support.transition?void this.$element[g](0).one("bsTransitionEnd",b.proxy(j,this)).emulateTransitionEnd(f.TRANSITION_DURATION):j.call(this)}}},f.prototype.toggle=function(){this[this.$element.hasClass("in")?"hide":"show"]()},f.prototype.getParent=function(){return b(this.options.parent).find('[data-toggle="collapse"][data-parent="'+this.options.parent+'"]').each(b.proxy(function(e,h){var g=b(h);this.addAriaAndCollapsedClass(c(g),g)},this)).end()},f.prototype.addAriaAndCollapsedClass=function(h,j){var g=h.hasClass("in");h.attr("aria-expanded",g),j.toggleClass("collapsed",!g).attr("aria-expanded",g)};var d=b.fn.collapse;b.fn.collapse=a,b.fn.collapse.Constructor=f,b.fn.collapse.noConflict=function(){return b.fn.collapse=d,this},b(document).on("click.bs.collapse.data-api",'[data-toggle="collapse"]',function(k){var j=b(this);j.attr("data-target")||k.preventDefault();var g=c(j),e=g.data("bs.collapse"),h=e?"toggle":j.data();a.call(g,h)})}(jQuery),+function(a){function b(){var d=document.createElement("bootstrap"),f={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for(var c in f){if(void 0!==d.style[c]){return{end:f[c]}}}return !1}a.fn.emulateTransitionEnd=function(d){var c=!1,g=this;a(this).one("bsTransitionEnd",function(){c=!0});var f=function(){c||a(g).trigger(a.support.transition.end)};return setTimeout(f,d),this},a(function(){a.support.transition=b(),a.support.transition&&(a.event.special.bsTransitionEnd={bindType:a.support.transition.end,delegateType:a.support.transition.end,handle:function(c){return a(c.target).is(this)?c.handleObj.handler.apply(this,arguments):void 0}})})}(jQuery);function openRuleDetailsDialog(d){var a=$('<button type="button" class="close btn btn-sm btn-default" data-dismiss="modal" aria-hidden="false" title="Close">❌</button>');var b=$('<div id="detail-modal" class="modal fade" tabindex="-1" role="dialog" aria-hidden="false"><div id="detail-modal-body" class="modal-body"></div></div>');$("body").prepend(b);var c=$("#rule-detail-"+d).clone();c.attr("id","");c.children(".panel-heading").append(a);a.css({"float":"right"});a.css({"margin-top":"-=23px"});$("#detail-modal-body").append(c);$("#detail-modal").on("hidden.bs.modal",function(f){$("#detail-modal").remove()});$("#detail-modal").modal();return false}function toggleRuleDisplay(b){var a=b.value;if(b.checked){$(".rule-overview-leaf-"+a).removeClass("rule-result-filtered");$(".rule-detail-"+a).removeClass("rule-result-filtered")}else{$(".rule-overview-leaf-"+a).addClass("rule-result-filtered");$(".rule-detail-"+a).addClass("rule-result-filtered")}stripeTreeTable()}function toggleResultDetails(b){var a=$("#result-details");if(a.is(":visible")){a.hide();$(b).html("Show all result details")}else{a.show();$(b).html("Hide all result details")}return false}function ruleSearchMatches(e,c){if(c.length==0){return true}var b=true;var d=e.children(".keywords").text().toLowerCase();var a;for(a=0;a<c.length;++a){if(d.indexOf(c[a].toLowerCase())<0){b=false;break}}return b}function ruleSearch(){var c=$("#search-input").val();var a=c.split(/[\s,\.;]+/);var b=0;$(".rule-detail").each(function(){var d=$(this).attr("id").substring(12);var e=$("#rule-overview-leaf-"+d);var f=$(this);if(ruleSearchMatches(f,a)){e.removeClass("search-no-match");f.removeClass("search-no-match");++b}else{e.addClass("search-no-match");f.addClass("search-no-match")}});if(!c){$("#search-matches").html("")}else{if(b>0){$("#search-matches").html(b.toString()+" rules match.")}else{$("#search-matches").html("No rules match your search criteria!")}}}var is_original=true;var original_treetable=null;$(document).ready(function(){$("#result-details").hide();$(".js-only").show();$(".form-group select").val("default");$(".toggle-rule-display").each(function(){toggleRuleDisplay(this)});original_treetable=$(".treetable").clone();$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});is_original=true;stripeTreeTable()});function resetTreetable(){if(!is_original){$(".treetable").remove();$("#rule-overview").append(original_treetable.clone());$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});$(".toggle-rule-display").each(function(){toggleRuleDisplay(this)});is_original=true}}function newGroupLine(a,c){var b=24;if(a.length>b){a=a.substring(0,b-1)+"â¦"}return'<tr class="rule-overview-inner-node" data-tt-id="'+c+'"><td colspan="3"><small>'+a+"</small> = <strong>"+c+"</strong></td></tr>"}var KeysEnum={DEFAULT:"default",SEVERITY:"severity",RESULT:"result",NIST:"NIST SP 800-53 ID",DISA_CCI:"DISA CCI",DISA_SRG:"DISA SRG",DISA_STIG_ID:"DISA STIG ID",PCI_DSS:"PCI DSS Requirement",CIS:"CIS Recommendation"};function getTargetGroupsList(f,d){switch(d){case KeysEnum.SEVERITY:var b=f.children(".rule-severity").text();return[b];case KeysEnum.RESULT:var a=f.children(".rule-result").text();return[a];default:try{var c=JSON.parse(f.attr("data-references"))}catch(e){return["unknown"]}if(!c.hasOwnProperty(d)){return["unknown"]}return c[d]}}function sortGroups(a,b){switch(b){case KeysEnum.SEVERITY:return["high","medium","low"];case KeysEnum.RESULT:return a.sort();default:return a.sort(function(e,d){var f=e.split(/[.()-]/);var g=d.split(/[.()-]/);var c=0;var j=Math.min(f.length,g.length);var h=/^[1-9][0-9]*$/;for(i=0;i<j&&c==0;i++){if(f[i].match(h)==null||f[i].match(h)==null){c=f[i].localeCompare(g[i])}else{c=parseInt(f[i])-parseInt(g[i])}}if(c==0){c=f.length-g.length}return c})}}function groupRulesBy(c){resetTreetable();if(c==KeysEnum.DEFAULT){return}var b={};$(".rule-overview-leaf").each(function(){$(this).children("td:first").css("padding-left","0px");var j=$(this).attr("data-tt-id");var g=getTargetGroupsList($(this),c);for(i=0;i<g.length;i++){var e=g[i];if(!b.hasOwnProperty(e)){b[e]=[newGroupLine(c,e)]}var h=$(this).clone();h.attr("data-tt-id",j+"copy"+i);h.attr("data-tt-parent-id",e);var f=h.wrap("<div>").parent().html();b[e].push(f)}});$(".treetable").remove();var a=sortGroups(Object.keys(b),c);var d="";for(i=0;i<a.length;i++){d+=b[a[i]].join("\n")}new_table='<table class="treetable table table-bordered"><thead><tr><th>Group</th> <th style="width: 120px; text-align: center">Severity</th><th style="width: 120px; text-align: center">Result</th></tr></thead><tbody>'+d+"</tbody></table>";$("#rule-overview").append(new_table);is_original=false;$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});stripeTreeTable()}function stripeTreeTable(){var a=$(".rule-overview-leaf:not(.rule-result-filtered)");var b=false;$(a).each(function(){$(this).css("background-color",b?"#F9F9F9":"inherit");b=!b})};</script></head><body><nav class="navbar navbar-default"><div class="navbar-header" style="float: none"><a class="navbar-brand" href="#"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="52" height="52" id="svg2"><g transform="matrix(0.75266991,0,0,0.75266991,-17.752968,-104.57468)" id="g32"><path d="m 24.7,173.5 c 0,-9 3.5,-17.5 9.9,-23.9 6.8,-6.8 15.7,-10.4 25,-10 8.6,0.3 16.9,3.9 22.9,9.8 6.4,6.4 9.9,14.9 10,23.8 0.1,9.1 -3.5,17.8 -10,24.3 -13.2,13.2 -34.7,13.1 -48,-0.1 -1.5,-1.5 -1.9,-4.2 0.2,-6.2 l 9,-9 c -2,-3.6 -4.9,-13.1 2.6,-20.7 7.6,-7.6 18.6,-6 24.4,-0.2 3.3,3.3 5.1,7.6 5.1,12.1 0.1,4.6 -1.8,9.1 -5.3,12.5 -4.2,4.2 -10.2,5.8 -16.1,4.4 -1.5,-0.4 -2.4,-1.9 -2.1,-3.4 0.4,-1.5 1.9,-2.4 3.4,-2.1 4.1,1 8,-0.1 10.9,-2.9 2.3,-2.3 3.6,-5.3 3.6,-8.4 0,0 0,-0.1 0,-0.1 0,-3 -1.3,-5.9 -3.5,-8.2 -3.9,-3.9 -11.3,-4.9 -16.5,0.2 -6.3,6.3 -1.6,14.1 -1.6,14.2 1.5,2.4 0.7,5 -0.9,6.3 l -8.4,8.4 c 9.9,8.9 27.2,11.2 39.1,-0.8 5.4,-5.4 8.4,-12.5 8.4,-20 0,-0.1 0,-0.2 0,-0.3 -0.1,-7.5 -3,-14.6 -8.4,-19.9 -5,-5 -11.9,-8 -19.1,-8.2 -7.8,-0.3 -15.2,2.7 -20.9,8.4 -8.7,8.7 -8.7,19 -7.9,24.3 0.3,2.4 1.1,4.9 2.2,7.3 0.6,1.4 0,3.1 -1.4,3.7 -1.4,0.6 -3.1,0 -3.7,-1.4 -1.3,-2.9 -2.2,-5.8 -2.6,-8.7 -0.3,-1.7 -0.4,-3.5 -0.4,-5.2 z" id="path34" style="fill:#12497f"></path></g></svg></a><div><h1>OpenSCAP Evaluation Report</h1></div></div></nav><div class="container"><div id="content"><div id="introduction"><div class="row"><h2>Guide to the Secure Configuration of Red Hat Enterprise Linux 8</h2><blockquote>with profile <mark>ANSSI-BP-028 (high)</mark><div class="col-md-12 well well-lg horizontal-scroll"><div class="description profile-description"><small>This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/</small></div></div></blockquote><div class="col-md-12 well well-lg horizontal-scroll"><div class="front-matter">The SCAP Security Guide Project<br> <a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</a> </div><div class="description">This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 8. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the <code>scap-security-guide</code> package which is developed at <a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</a>. <br><br> Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a <em>catalog, not a checklist</em>, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF <em>Profiles</em>, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance. </div><div class="top-spacer-10"><div class="alert alert-info">Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. </div></div></div></div></div><div id="characteristics"><h2>Evaluation Characteristics</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Evaluation target</th><td>localhost</td></tr><tr><th>Benchmark URL</th><td>#scap_org.open-scap_comp_ssg-rhel8-xccdf-1.2.xml</td></tr><tr><th>Benchmark ID</th><td>xccdf_org.ssgproject.content_benchmark_RHEL-8</td></tr><tr><th>Benchmark version</th><td>0.1.56</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_high</td></tr><tr><th>Started at</th><td>2021-06-18T12:02:23+01:00</td></tr><tr><th>Finished at</th><td>2021-06-18T12:05:36+01:00</td></tr><tr><th>Performed by</th><td>test</td></tr><tr><th>Test system</th><td>cpe:/a:redhat:openscap:1.3.5</td></tr></table></div><div class="col-md-3 horizontal-scroll"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-success" title="CPE platform cpe:/o:redhat:enterprise_linux:8 was found applicable on the evaluated machine">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div><div class="col-md-4 horizontal-scroll"><h4>Addresses</h4><ul class="list-group"><li class="list-group-item"><span class="label label-primary">IPv4</span>  127.0.0.1</li><li class="list-group-item"><span class="label label-primary">IPv4</span>  192.168.122.198</li><li class="list-group-item"><span class="label label-info">IPv6</span>  0:0:0:0:0:0:0:1</li><li class="list-group-item"><span class="label label-info">IPv6</span>  fe80:0:0:0:5054:ff:fee6:ccee</li><li class="list-group-item"><span class="label label-default">MAC</span>  00:00:00:00:00:00</li><li class="list-group-item"><span class="label label-default">MAC</span>  52:54:00:E6:CC:EE</li></ul></div></div></div><div id="compliance-and-scoring"><h2>Compliance and Scoring</h2><div class="alert alert-danger"><strong>The target system did not satisfy the conditions of 9 rules!</strong> Please review rule results and consider applying remediation. </div><h3>Rule results</h3><div class="progress" title="Displays proportion of passed/fixed, failed/error, and other rules (in that order). There were $not_ignored_rules_count rules taken into account."><div class="progress-bar progress-bar-success" style="width: 93.9890710382514%">172 passed </div><div class="progress-bar progress-bar-danger" style="width: 4.918032786885246%">9 failed </div><div class="progress-bar progress-bar-warning" style="width: 1.092896174863389%">2 other </div></div><h3>Severity of failed rules</h3><div class="progress" title="Displays proportion of high, medium, low, and other severity failed rules (in that order). There were 9 total failed rules."><div class="progress-bar progress-bar-success" style="width: 0%">0 other </div><div class="progress-bar progress-bar-info" style="width: 0%">0 low </div><div class="progress-bar progress-bar-warning" style="width: 88.8888888888889%">8 medium </div><div class="progress-bar progress-bar-danger" style="width: 11.1111111111111%">1 high </div></div><h3 title="As per the XCCDF specification">Score</h3><table class="table table-striped table-bordered"><thead><tr><th>Scoring system</th><th class="text-center">Score</th><th class="text-center">Maximum</th><th class="text-center" style="width: 40%">Percent</th></tr></thead><tbody><tr><td>urn:xccdf:scoring:default</td><td class="text-center">95.305061</td><td class="text-center">100.000000</td><td><div class="progress"><div class="progress-bar progress-bar-success" style="width: 95.305061%">95.31%</div><div class="progress-bar progress-bar-danger" style="width: 4.694939000000005%"></div></div></td></tr></tbody></table></div><div id="rule-overview"><h2>Rule Overview</h2><div class="form-group js-only hidden-print"><div class="row"><div title="Filter rules by their XCCDF result"><div class="col-sm-2 toggle-rule-display-success"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="pass">pass</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="fixed">fixed</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="informational">informational</label></div></div><div class="col-sm-2 toggle-rule-display-danger"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="fail">fail</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="error">error</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="unknown">unknown</label></div></div><div class="col-sm-2 toggle-rule-display-other"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="notchecked">notchecked</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="notapplicable">notapplicable</label></div></div></div><div class="col-sm-6"><div class="input-group"><input type="text" class="form-control" placeholder="Search through XCCDF rules" id="search-input" oninput="ruleSearch()"><div class="input-group-btn"><button class="btn btn-default" onclick="ruleSearch()">Search</button></div></div><p id="search-matches"></p> Group rules by: <select name="groupby" onchange="groupRulesBy(value)"><option value="default" selected>Default</option><option value="severity">Severity</option><option value="result">Result</option><option disabled>ââââââââââ</option><option value="NIST SP 800-171">NIST SP 800-171</option><option value="NIST SP 800-53">NIST SP 800-53</option><option value="ANSSI">ANSSI</option><option value="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf</option><option value="https://public.cyber.mil/stigs/cci/">https://public.cyber.mil/stigs/cci/</option><option value="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os</option><option value="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux</option><option value="https://public.cyber.mil/stigs/srg-stig-tools/">https://public.cyber.mil/stigs/srg-stig-tools/</option><option value="https://www.cisecurity.org/benchmark/red_hat_linux/">https://www.cisecurity.org/benchmark/red_hat_linux/</option><option value="https://www.cisecurity.org/controls/">https://www.cisecurity.org/controls/</option><option value="FBI CJIS">FBI CJIS</option><option value="HIPAA">HIPAA</option><option value="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731</option><option value="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785</option><option value="https://www.isaca.org/resources/cobit">https://www.isaca.org/resources/cobit</option><option value="ISO 27001-2013">ISO 27001-2013</option><option value="https://www.niap-ccevs.org/Profile/PP.cfm">https://www.niap-ccevs.org/Profile/PP.cfm</option><option value="PCI-DSS Requirement">PCI-DSS Requirement</option></select></div></div></div><table class="treetable table table-bordered"><thead><tr><th>Title</th><th style="width: 120px; text-align: center">Severity</th><th style="width: 120px; text-align: center">Result</th></tr></thead><tbody><tr data-tt-id="xccdf_org.ssgproject.content_benchmark_RHEL-8" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td colspan="3" style="padding-left: 0px"><strong>Guide to the Secure Configuration of Red Hat Enterprise Linux 8</strong> <span class="badge">9x fail</span> <span class="badge">2x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><td colspan="3" style="padding-left: 19px"><strong>System Settings</strong> <span class="badge">9x fail</span> <span class="badge">2x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Installing and Maintaining Software</strong> <span class="badge">3x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_integrity" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_integrity" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px">System and Software Integrity<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_integrity");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_software-integrity" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_software-integrity" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px">Software Integrity Checking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_software-integrity");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_aide" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_aide" data-tt-parent-id="xccdf_org.ssgproject.content_group_software-integrity"><td colspan="3" style="padding-left: 95px">Verify Integrity with AIDE<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_aide");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_aide_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_aide_installed" id="rule-overview-leaf-idm45662296184064" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"":["1034","1288","1341","1417"],"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R51)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-7","PR.DS-1","PR.DS-6","PR.DS-8","PR.IP-1","PR.IP-3"],"https://public.cyber.mil/stigs/cci/":["CCI-002699","CCI-001744"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000363-GPOS-00150"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010360"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230263r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.4.1"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","2","3","5","7","8","9"],"FBI CJIS":["5.10.1.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 4.1","SR 6.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI01.06","BAI02.01","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS04.07","DSS05.02","DSS05.03","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.4.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.14.2.7","A.15.2.1","A.8.2.3"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662296184064" onclick="return openRuleDetailsDialog('idm45662296184064')">Install AIDE</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="rule-overview-leaf-idm45662296180080" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R51)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-7","PR.DS-1","PR.DS-6","PR.DS-8","PR.IP-1","PR.IP-3"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","2","3","5","7","8","9"],"FBI CJIS":["5.10.1.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 4.1","SR 6.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI01.06","BAI02.01","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS04.07","DSS05.02","DSS05.03","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.4.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.14.2.7","A.15.2.1","A.8.2.3"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662296180080" onclick="return openRuleDetailsDialog('idm45662296180080')">Build and Test AIDE Database</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" id="rule-overview-leaf-idm45662296176112" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"NIST SP 800-53":["SI-7","SI-7(1)","CM-6(a)"],"ANSSI":["BP28(R51)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-7","PR.DS-1","PR.DS-6","PR.DS-8","PR.IP-1","PR.IP-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001744","CCI-002699","CCI-002702"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000363-GPOS-00150","SRG-OS-000446-GPOS-00200","SRG-OS-000447-GPOS-00201"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.4.2"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","2","3","5","7","8","9"],"FBI CJIS":["5.10.1.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 4.1","SR 6.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI01.06","BAI02.01","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS04.07","DSS05.02","DSS05.03","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.4.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.14.2.7","A.15.2.1","A.8.2.3"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662296176112" onclick="return openRuleDetailsDialog('idm45662296176112')">Configure Periodic Execution of AIDE</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_scan_notification" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_scan_notification" id="rule-overview-leaf-idm45662296172112" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"NIST SP 800-53":["CM-6(a)","CM-3(5)"],"ANSSI":["BP28(R51)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-7","PR.IP-1","PR.IP-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001744","CCI-002702"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000363-GPOS-00150","SRG-OS-000447-GPOS-00201"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010360"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230263r627750_rule"],"https://www.cisecurity.org/controls/":["1","11","12","13","15","16","2","3","5","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 6.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI01.06","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS05.02","DSS05.05","DSS05.07"],"ISO 27001-2013":["A.12.1.2","A.12.4.1","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.14.2.7","A.15.2.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662296172112" onclick="return openRuleDetailsDialog('idm45662296172112')">Configure Notification of Post-AIDE Scan Details</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes" id="rule-overview-leaf-idm45662296168128" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"NIST SP 800-53":["SI-7","SI-7(1)","CM-6(a)"],"ANSSI":["BP28(R51)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040300"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230551r627750_rule"],"https://www.cisecurity.org/controls/":["2","3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI03.05","BAI06.01","DSS06.02"],"ISO 27001-2013":["A.11.2.4","A.12.2.1","A.12.5.1","A.14.1.2","A.14.1.3","A.14.2.4"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662296168128" onclick="return openRuleDetailsDialog('idm45662296168128')">Configure AIDE to Verify Extended Attributes</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_verify_acls" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_verify_acls" id="rule-overview-leaf-idm45662296164128" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"NIST SP 800-53":["SI-7","SI-7(1)","CM-6(a)"],"ANSSI":["BP28(R51)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040310"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230552r627750_rule"],"https://www.cisecurity.org/controls/":["2","3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI03.05","BAI06.01","DSS06.02"],"ISO 27001-2013":["A.11.2.4","A.12.2.1","A.12.5.1","A.14.1.2","A.14.1.3","A.14.2.4"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662296164128" onclick="return openRuleDetailsDialog('idm45662296164128')">Configure AIDE to Verify Access Control Lists (ACLs)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_sudo" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_sudo" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>Sudo</strong> <span class="badge">3x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_sudo_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_sudo_installed" id="rule-overview-leaf-idm45662296088240" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"":["1382","1384","1386"],"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R19)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000324-GPOS-00125"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.3.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296088240" onclick="return openRuleDetailsDialog('idm45662296088240')">Install sudo Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot" id="rule-overview-leaf-idm45662296081536" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R58)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296081536" onclick="return openRuleDetailsDialog('idm45662296081536')">Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_noexec" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_noexec" id="rule-overview-leaf-idm45662296077568" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R58)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296077568" onclick="return openRuleDetailsDialog('idm45662296077568')">Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_passwd_timeout" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_passwd_timeout" id="rule-overview-leaf-idm45662296073600" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R58)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296073600" onclick="return openRuleDetailsDialog('idm45662296073600')">Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudoers_no_command_negation" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudoers_no_command_negation" id="rule-overview-leaf-idm45662296066096" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R61)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296066096" onclick="return openRuleDetailsDialog('idm45662296066096')">Don't define allowed commands in sudoers by means of exclusion</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="rule-overview-leaf-idm45662296062096" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R58)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296062096" onclick="return openRuleDetailsDialog('idm45662296062096')">Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_requiretty" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_requiretty" id="rule-overview-leaf-idm45662296055424" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R58)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296055424" onclick="return openRuleDetailsDialog('idm45662296055424')">Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="rule-overview-leaf-idm45662296051456" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R58)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296051456" onclick="return openRuleDetailsDialog('idm45662296051456')">Ensure sudo Runs In A Minimal Environment - sudo env_reset</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_umask" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_umask" id="rule-overview-leaf-idm45662296047488" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R58)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296047488" onclick="return openRuleDetailsDialog('idm45662296047488')">Ensure sudo umask is appropriate - sudo umask</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudoers_explicit_command_args" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45662296040000" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R63)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296040000" onclick="return openRuleDetailsDialog('idm45662296040000')">Explicit arguments in sudo specifications</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_dedicated_group" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45662296036000" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R57)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296036000" onclick="return openRuleDetailsDialog('idm45662296036000')">Ensure a dedicated group owns sudo</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="rule-overview-leaf-idm45662296031200" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"":["SRG-OS-000373-VMM-001470","SRG-OS-000373-VMM-001480","SRG-OS-000373-VMM-001490"],"NIST SP 800-53":["IA-11","CM-6(a)"],"ANSSI":["BP28(R5)","BP28(R59)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-002038"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157","SRG-OS-000373-GPOS-00158"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010381"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230272r627750_rule"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296031200" onclick="return openRuleDetailsDialog('idm45662296031200')">Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudoers_no_root_target" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45662296027200" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"ANSSI":["BP28(R60)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296027200" onclick="return openRuleDetailsDialog('idm45662296027200')">Don't target root user in the sudoers file</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" id="rule-overview-leaf-idm45662296023216" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"":["SRG-OS-000373-VMM-001470","SRG-OS-000373-VMM-001480","SRG-OS-000373-VMM-001490"],"NIST SP 800-53":["IA-11","CM-6(a)"],"ANSSI":["BP28(R5)","BP28(R59)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-002038"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157","SRG-OS-000373-GPOS-00158"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010380"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230271r627750_rule"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662296023216" onclick="return openRuleDetailsDialog('idm45662296023216')">Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disk_partitioning" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px">Disk Partitioning<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disk_partitioning");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" id="rule-overview-leaf-idm45662295864656" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"":["SRG-OS-000341-VMM-001220"],"NIST SP 800-53":["CM-6(a)","AU-4","SC-5(2)"],"ANSSI":["BP28(R43)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-4","PR.PT-1","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001849"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000341-GPOS-00132","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010542"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230294r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.12"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","2","3","5","6","8"],"HIPAA":["164.312(a)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO11.04","APO13.01","BAI03.05","BAI04.04","DSS05.02","DSS05.04","DSS05.07","MEA02.01"],"ISO 27001-2013":["A.12.1.3","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.17.2.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295864656" onclick="return openRuleDetailsDialog('idm45662295864656')">Ensure /var/log/audit Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_boot" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_boot" id="rule-overview-leaf-idm45662295860656" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295860656" onclick="return openRuleDetailsDialog('idm45662295860656')">Ensure /boot Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_opt" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_opt" id="rule-overview-leaf-idm45662295856688" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295856688" onclick="return openRuleDetailsDialog('idm45662295856688')">Ensure /opt Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_tmp" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_tmp" id="rule-overview-leaf-idm45662295850032" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"NIST SP 800-53":["CM-6(a)","SC-5(2)"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010543"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230295r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.2"],"https://www.cisecurity.org/controls/":["12","15","8"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","DSS05.02"],"ISO 27001-2013":["A.13.1.1","A.13.2.1","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295850032" onclick="return openRuleDetailsDialog('idm45662295850032')">Ensure /tmp Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_srv" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_srv" id="rule-overview-leaf-idm45662295846064" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295846064" onclick="return openRuleDetailsDialog('idm45662295846064')">Ensure /srv Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_usr" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_usr" id="rule-overview-leaf-idm45662295842096" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295842096" onclick="return openRuleDetailsDialog('idm45662295842096')">Ensure /usr Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_var" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_var" id="rule-overview-leaf-idm45662295838128" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"":["SRG-OS-000341-VMM-001220"],"NIST SP 800-53":["CM-6(a)","SC-5(2)"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010540"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230292r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.6"],"https://www.cisecurity.org/controls/":["12","15","8"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","DSS05.02"],"ISO 27001-2013":["A.13.1.1","A.13.2.1","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295838128" onclick="return openRuleDetailsDialog('idm45662295838128')">Ensure /var Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_var_tmp" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_var_tmp" id="rule-overview-leaf-idm45662295834160" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"ANSSI":["BP28(R12)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295834160" onclick="return openRuleDetailsDialog('idm45662295834160')">Ensure /var/tmp Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_var_log" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_var_log" id="rule-overview-leaf-idm45662295830192" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"NIST SP 800-53":["CM-6(a)","AU-4","SC-5(2)"],"ANSSI":["BP28(R12)","BP28(R47)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-1","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010541"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230293r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.11"],"https://www.cisecurity.org/controls/":["1","12","14","15","16","3","5","6","8"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO11.04","APO13.01","BAI03.05","DSS05.02","DSS05.04","DSS05.07","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295830192" onclick="return openRuleDetailsDialog('idm45662295830192')">Ensure /var/log Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_home" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_home" id="rule-overview-leaf-idm45662295826224" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"NIST SP 800-53":["CM-6(a)","SC-5(2)"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001208"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010800"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230328r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.13"],"https://www.cisecurity.org/controls/":["12","15","8"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","DSS05.02"],"ISO 27001-2013":["A.13.1.1","A.13.2.1","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295826224" onclick="return openRuleDetailsDialog('idm45662295826224')">Ensure /home Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>Updating Software</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed" id="rule-overview-leaf-idm45662295822256" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"ANSSI":["BP28(R8)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000191-GPOS-00080"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295822256" onclick="return openRuleDetailsDialog('idm45662295822256')">Install dnf-automatic Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" id="rule-overview-leaf-idm45662295818256" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-5(3)","SI-7","SC-12","SC-12(3)","CM-6(a)"],"ANSSI":["BP28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8","PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.2.3"],"https://www.cisecurity.org/controls/":["11","2","3","9"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS06.02"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FPT_TUD_EXT.1","FPT_TUD_EXT.2"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295818256" onclick="return openRuleDetailsDialog('idm45662295818256')">Ensure Red Hat GPG Key Installed</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled" id="rule-overview-leaf-idm45662295814256" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"NIST SP 800-53":["SI-2(5)","CM-6(a)","SI-2(c)"],"ANSSI":["BP28(R8)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000191-GPOS-00080"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295814256" onclick="return openRuleDetailsDialog('idm45662295814256')">Enable dnf-automatic Timer</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_security_patches_up_to_date" id="rule-overview-leaf-idm45662295810256" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-53":["SI-2(5)","SI-2(c)","CM-6(a)"],"ANSSI":["BP28(R08)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["ID.RA-1","PR.IP-12"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010010"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230222r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.9"],"https://www.cisecurity.org/controls/":["18","20","4"],"FBI CJIS":["5.10.4.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3","4.2.3.12","4.2.3.7","4.2.3.9"],"https://www.isaca.org/resources/cobit":["APO12.01","APO12.02","APO12.03","APO12.04","BAI03.10","DSS05.01","DSS05.02"],"ISO 27001-2013":["A.12.6.1","A.14.2.3","A.16.1.3","A.18.2.2","A.18.2.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295810256" onclick="return openRuleDetailsDialog('idm45662295810256')">Ensure Software Patches Installed</a> () </td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only" id="rule-overview-leaf-idm45662295805600" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"NIST SP 800-53":["SI-2(5)","CM-6(a)","SI-2(c)"],"ANSSI":["BP28(R8)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000191-GPOS-00080"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295805600" onclick="return openRuleDetailsDialog('idm45662295805600')">Configure dnf-automatic to Install Only Security Updates</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" id="rule-overview-leaf-idm45662295801600" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-11(a)","CM-11(b)","CM-6(a)","CM-5(3)","SA-12","SA-12(10)"],"ANSSI":["BP28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010371"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230265r627750_rule"],"https://www.cisecurity.org/controls/":["11","3","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FPT_TUD_EXT.1","FPT_TUD_EXT.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295801600" onclick="return openRuleDetailsDialog('idm45662295801600')">Ensure gpgcheck Enabled for Local Packages</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="rule-overview-leaf-idm45662295794896" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["0940","1144","1467","1472","1483","1493","1494","1495"],"NIST SP 800-53":["SI-2(5)","CM-6(a)","SI-2(c)"],"ANSSI":["BP28(R8)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000191-GPOS-00080"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295794896" onclick="return openRuleDetailsDialog('idm45662295794896')">Configure dnf-automatic to Install Available Updates Automatically</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" id="rule-overview-leaf-idm45662295788192" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-5(3)","SI-7","SC-12","SC-12(3)","CM-6(a)","SA-12","SA-12(10)","CM-11(a)","CM-11(b)"],"ANSSI":["BP28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8","PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://www.cisecurity.org/controls/":["11","2","3","9"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS06.02"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FPT_TUD_EXT.1","FPT_TUD_EXT.2"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295788192" onclick="return openRuleDetailsDialog('idm45662295788192')">Ensure gpgcheck Enabled for All yum Package Repositories</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" id="rule-overview-leaf-idm45662295784192" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-5(3)","SI-7","SC-12","SC-12(3)","CM-6(a)","SA-12","SA-12(10)","CM-11(a)","CM-11(b)"],"ANSSI":["BP28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8","PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010370"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230264r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.2.4"],"https://www.cisecurity.org/controls/":["11","2","3","9"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS06.02"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FPT_TUD_EXT.1","FPT_TUD_EXT.2"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295784192" onclick="return openRuleDetailsDialog('idm45662295784192')">Ensure gpgcheck Enabled In Main yum Configuration</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_prefer_64bit_os" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_prefer_64bit_os" id="rule-overview-leaf-idm45662296196112" data-tt-parent-id="xccdf_org.ssgproject.content_group_software" data-references='{"ANSSI":["BP28(R10)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662296196112" onclick="return openRuleDetailsDialog('idm45662296196112')">Prefer to use a 64-bit Operating System when supported</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px">Account and Access Control<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_accounts");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-pam" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-pam" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px">Protect Accounts by Configuring PAM<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_accounts-pam");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px">Set Password Hashing Algorithm<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_set_password_hashing_algorithm");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" id="rule-overview-leaf-idm45662295741104" data-tt-parent-id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" data-references='{"":["0418","1055","1402","SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.13.11"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(c)","CM-6(a)"],"ANSSI":["BP28(R32)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000196"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000073-GPOS-00041"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010160"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230237r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.4.4"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"FBI CJIS":["5.6.2.2"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"PCI-DSS Requirement":["Req-8.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295741104" onclick="return openRuleDetailsDialog('idm45662295741104')">Set PAM's Password Hashing Algorithm</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_quality" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_quality" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px">Set Password Quality Requirements<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_password_quality");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_quality_pwquality" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality"><td colspan="3" style="padding-left: 95px">Set Password Quality Requirements with pam_pwquality<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_password_quality_pwquality");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" id="rule-overview-leaf-idm45662295726256" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000266-VMM-000940"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(a)","CM-6(a)","IA-5(4)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-001619"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000266-GPOS-00101"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020280"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230375r627750_rule"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662295726256" onclick="return openRuleDetailsDialog('idm45662295726256')">Ensure PAM Enforces Password Requirements - Minimum Special Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" id="rule-overview-leaf-idm45662295716016" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000070-VMM-000370"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(a)","CM-6(a)","IA-5(4)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000193"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000070-GPOS-00038"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020120"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230358r627750_rule"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662295716016" onclick="return openRuleDetailsDialog('idm45662295716016')">Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" id="rule-overview-leaf-idm45662295711184" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000071-VMM-000380"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(a)","CM-6(a)","IA-5(4)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000194"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000071-GPOS-00039"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020130"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230359r627750_rule"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662295711184" onclick="return openRuleDetailsDialog('idm45662295711184')">Ensure PAM Enforces Password Requirements - Minimum Digit Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" id="rule-overview-leaf-idm45662295706352" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000069-VMM-000360"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(a)","CM-6(a)","IA-5(4)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000192"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000069-GPOS-00037"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020110"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230357r627750_rule"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662295706352" onclick="return openRuleDetailsDialog('idm45662295706352')">Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" id="rule-overview-leaf-idm45662295701520" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000072-VMM-000390","SRG-OS-000078-VMM-000450"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(a)","CM-6(a)","IA-5(4)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000205"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000078-GPOS-00046"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020230"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230369r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.4.1"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"FBI CJIS":["5.6.2.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45662295701520" onclick="return openRuleDetailsDialog('idm45662295701520')">Ensure PAM Enforces Password Requirements - Minimum Length</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px">Set Lockouts for Failed Password Attempts<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_locking_out_password_attempts");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" id="rule-overview-leaf-idm45662295693984" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000021-VMM-000050"],"NIST SP 800-53":["CM-6(a)","AC-7(a)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000044","CCI-002236","CCI-002237","CCI-002238"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020012"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230334r627750_rule"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295693984" onclick="return openRuleDetailsDialog('idm45662295693984')">Set Interval For Counting Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" id="rule-overview-leaf-idm45662295689088" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["SRG-OS-000077-VMM-000440"],"NIST SP 800-171":["3.5.8"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(e)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000200"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000077-GPOS-00045"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020220"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230368r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.4.3"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"FBI CJIS":["5.6.2.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"PCI-DSS Requirement":["Req-8.2.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295689088" onclick="return openRuleDetailsDialog('idm45662295689088')">Limit Password Reuse</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" id="rule-overview-leaf-idm45662295684240" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000329-VMM-001180"],"NIST SP 800-171":["3.1.8"],"NIST SP 800-53":["CM-6(a)","AC-7(b)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000044","CCI-002236","CCI-002237","CCI-002238"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020014"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230336r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.4.2"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"FBI CJIS":["5.5.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"],"PCI-DSS Requirement":["Req-8.1.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295684240" onclick="return openRuleDetailsDialog('idm45662295684240')">Set Lockout Time for Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" id="rule-overview-leaf-idm45662295679328" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000021-VMM-000050"],"NIST SP 800-171":["3.1.8"],"NIST SP 800-53":["CM-6(a)","AC-7(a)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000044","CCI-002236","CCI-002237","CCI-002238"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020010"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230332r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.4.2"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"FBI CJIS":["5.5.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"],"PCI-DSS Requirement":["Req-8.1.6"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295679328" onclick="return openRuleDetailsDialog('idm45662295679328')">Set Deny For Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" id="rule-overview-leaf-idm45662295674464" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561"],"NIST SP 800-53":["CM-6(a)","AC-7(b)","IA-5(c)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-002238","CCI-000044"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020022"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230344r646874_rule"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295674464" onclick="return openRuleDetailsDialog('idm45662295674464')">Configure the root Account for Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_enable_pam_namespace" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_enable_pam_namespace" id="rule-overview-leaf-idm45662295750512" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam" data-references='{"ANSSI":["BP28(R39)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295750512" onclick="return openRuleDetailsDialog('idm45662295750512')">Set Up a Private Namespace in PAM Configuration</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px">Protect Accounts by Restricting Password-Based Login<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_accounts-restrictions");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_expiration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_expiration" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px">Set Password Expiration Parameters<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_password_expiration");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" id="rule-overview-leaf-idm45662295619072" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561"],"NIST SP 800-171":["3.5.7"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(a)","CM-6(a)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000205"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000078-GPOS-00046"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020231"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230370r627750_rule"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"FBI CJIS":["5.6.2.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295619072" onclick="return openRuleDetailsDialog('idm45662295619072')">Set Password Minimum Length in login.defs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" id="rule-overview-leaf-idm45662295614208" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"":["0418","1055","1402"],"NIST SP 800-171":["3.5.6"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(d)","CM-6(a)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000199"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000076-GPOS-00044"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020200"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230366r646878_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.5.1.1"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"FBI CJIS":["5.6.2.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"PCI-DSS Requirement":["Req-8.2.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295614208" onclick="return openRuleDetailsDialog('idm45662295614208')">Set Password Maximum Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px">Restrict Root Logins<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_root_logins");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_direct_root_logins" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_no_direct_root_logins" id="rule-overview-leaf-idm45662295586288" data-tt-parent-id="xccdf_org.ssgproject.content_group_root_logins" data-references='{"NIST SP 800-171":["3.1.1","3.1.6"],"NIST SP 800-53":["IA-2","CM-6(a)"],"ANSSI":["BP28(R19)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.6"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295586288" onclick="return openRuleDetailsDialog('idm45662295586288')">Direct root Logins Not Allowed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_storage" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_storage" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px">Verify Proper Storage and Existence of Password Hashes<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_password_storage");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth" id="rule-overview-leaf-idm45662295548528" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_storage" data-references='{"ANSSI":["BP28(R32)"],"https://public.cyber.mil/stigs/cci/":["CCI-000196"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000073-GPOS-00041"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010130"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230233r627750_rule"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295548528" onclick="return openRuleDetailsDialog('idm45662295548528')">Set number of Password Hashing Rounds - system-auth</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth" id="rule-overview-leaf-idm45662295540944" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_storage" data-references='{"ANSSI":["BP28(R32)"],"https://public.cyber.mil/stigs/cci/":["CCI-000196"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000073-GPOS-00041"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010130"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230233r627750_rule"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295540944" onclick="return openRuleDetailsDialog('idm45662295540944')">Set number of Password Hashing Rounds - password-auth</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px">Secure Session Configuration Files for Login Accounts<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_accounts-session");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_user_umask" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_user_umask" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session"><td colspan="3" style="padding-left: 76px">Ensure that Users Have Sensible Umask Values<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_user_umask");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc" id="rule-overview-leaf-idm45662295476320" data-tt-parent-id="xccdf_org.ssgproject.content_group_user_umask" data-references='{"NIST SP 800-53":["AC-6(1)","CM-6(a)"],"ANSSI":["BP28(R35)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-2"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00228","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020353"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230385r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.5.4"],"https://www.cisecurity.org/controls/":["18"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI03.01","BAI03.02","BAI03.03"],"ISO 27001-2013":["A.14.1.1","A.14.2.1","A.14.2.5","A.6.1.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295476320" onclick="return openRuleDetailsDialog('idm45662295476320')">Ensure the Default Bash Umask is Set Correctly</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" id="rule-overview-leaf-idm45662295468784" data-tt-parent-id="xccdf_org.ssgproject.content_group_user_umask" data-references='{"NIST SP 800-53":["AC-6(1)","CM-6(a)"],"ANSSI":["BP28(R35)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-2"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00228"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.5.4"],"https://www.cisecurity.org/controls/":["18"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI03.01","BAI03.02","BAI03.03"],"ISO 27001-2013":["A.14.1.1","A.14.2.1","A.14.2.5","A.6.1.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295468784" onclick="return openRuleDetailsDialog('idm45662295468784')">Ensure the Default Umask is Set Correctly in /etc/profile</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" id="rule-overview-leaf-idm45662295463952" data-tt-parent-id="xccdf_org.ssgproject.content_group_user_umask" data-references='{"NIST SP 800-53":["AC-6(1)","CM-6(a)"],"ANSSI":["BP28(R35)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.IP-2"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00228"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-020351"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230383r627750_rule"],"https://www.cisecurity.org/controls/":["11","18","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI03.01","BAI03.02","BAI03.03","BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.1.1","A.14.2.1","A.14.2.2","A.14.2.3","A.14.2.4","A.14.2.5","A.6.1.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295463952" onclick="return openRuleDetailsDialog('idm45662295463952')">Ensure the Default Umask is Set Correctly in login.defs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp" id="rule-overview-leaf-idm45662295525840" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"ANSSI":["BP28(R39)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295525840" onclick="return openRuleDetailsDialog('idm45662295525840')">Configure Polyinstantiation of /tmp Directories</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp" id="rule-overview-leaf-idm45662295500832" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"ANSSI":["BP28(R39)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295500832" onclick="return openRuleDetailsDialog('idm45662295500832')">Configure Polyinstantiation of /var/tmp Directories</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_tmout" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_tmout" id="rule-overview-leaf-idm45662295496832" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"":["SRG-OS-000163-VMM-000700","SRG-OS-000279-VMM-001010"],"NIST SP 800-171":["3.1.11"],"NIST SP 800-53":["AC-12","SC-10","AC-2(5)","CM-6(a)"],"ANSSI":["BP28(R29)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000057","CCI-001133","CCI-002361"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000163-GPOS-00072","SRG-OS-000029-GPOS-00010"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.5.3"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662295496832" onclick="return openRuleDetailsDialog('idm45662295496832')">Set Interactive Session Timeout</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditing" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px">System Accounting with auditd<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_auditing");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_auditd_configure_rules" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing"><td colspan="3" style="padding-left: 57px">Configure auditd Rules for Comprehensive Auditing<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_auditd_configure_rules");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_privileged_commands" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px">Record Information on the Use of Privileged Commands<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_audit_privileged_commands");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" id="rule-overview-leaf-idm45662295094256" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"":["SRG-OS-000471-VMM-001910"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"ANSSI":["BP28(R19)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000130","CCI-000135","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000471-GPOS-00215"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","2","3","5","6","7","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1","SR 6.2"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","BAI03.05","DSS01.03","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.14.2.7","A.15.2.1","A.15.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662295094256" onclick="return openRuleDetailsDialog('idm45662295094256')">Ensure auditd Collects Information on the Use of Privileged Commands - sudo</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px">Network Configuration and Firewalls<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-kernel" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-kernel" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">Kernel Parameters Which Affect Networking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-kernel");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-kernel"><td colspan="3" style="padding-left: 76px">Network Related Kernel Runtime Parameters for Hosts and Routers<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network_host_and_router_parameters");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" id="rule-overview-leaf-idm45662294879648" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.3"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294879648" onclick="return openRuleDetailsDialog('idm45662294879648')">Configure Kernel Parameter for Accepting Secure Redirects By Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" id="rule-overview-leaf-idm45662294874736" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","PR.DS-4","PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001503","CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040280"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230544r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.2"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","2","3","7","8","9"],"FBI CJIS":["5.10.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS05.02","DSS05.05","DSS05.07","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294874736" onclick="return openRuleDetailsDialog('idm45662294874736')">Disable Accepting ICMP Redirects for All IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" id="rule-overview-leaf-idm45662294867760" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040250"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230539r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.1"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"FBI CJIS":["5.10.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294867760" onclick="return openRuleDetailsDialog('idm45662294867760')">Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" id="rule-overview-leaf-idm45662294862832" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5(1)","SC-5(2)","SC-5(3)(a)","CM-6(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001095"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227","SRG-OS-000420-GPOS-00186","SRG-OS-000142-GPOS-00071"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.8"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","2","4","6","7","8","9"],"FBI CJIS":["5.10.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294862832" onclick="return openRuleDetailsDialog('idm45662294862832')">Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range" id="rule-overview-leaf-idm45662294857984" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294857984" onclick="return openRuleDetailsDialog('idm45662294857984')">Set Kernel Parameter to Increase Local Port Range</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" id="rule-overview-leaf-idm45662294853984" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040210"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230535r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.2"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"FBI CJIS":["5.10.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294853984" onclick="return openRuleDetailsDialog('idm45662294853984')">Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" id="rule-overview-leaf-idm45662294849072" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5(3)(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","PR.AC-3","PR.DS-4","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000126"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.4"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","2","3","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.04","DSS03.05","DSS05.02","DSS05.03","DSS05.05","DSS05.07","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294849072" onclick="return openRuleDetailsDialog('idm45662294849072')">Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" id="rule-overview-leaf-idm45662294844192" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","PR.DS-4","PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.6"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","2","3","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS05.02","DSS05.05","DSS05.07","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294844192" onclick="return openRuleDetailsDialog('idm45662294844192')">Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" id="rule-overview-leaf-idm45662294839264" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.7"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","2","4","6","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294839264" onclick="return openRuleDetailsDialog('idm45662294839264')">Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" id="rule-overview-leaf-idm45662294834368" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001503","CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.3"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294834368" onclick="return openRuleDetailsDialog('idm45662294834368')">Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" id="rule-overview-leaf-idm45662294829456" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5","CM-6(a)","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040240"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230538r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.1"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294829456" onclick="return openRuleDetailsDialog('idm45662294829456')">Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337" id="rule-overview-leaf-idm45662294824544" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294824544" onclick="return openRuleDetailsDialog('idm45662294824544')">Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" id="rule-overview-leaf-idm45662294814256" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040285"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230549r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.7"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","2","4","6","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294814256" onclick="return openRuleDetailsDialog('idm45662294814256')">Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_host_parameters" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network_host_parameters" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-kernel"><td colspan="3" style="padding-left: 76px">Network Parameters for Hosts Only<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network_host_parameters");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" id="rule-overview-leaf-idm45662294809392" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5","CM-6(a)","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040270"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230543r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.1.2"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"FBI CJIS":["5.10.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294809392" onclick="return openRuleDetailsDialog('idm45662294809392')">Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" id="rule-overview-leaf-idm45662294805360" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5","CM-6(a)","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040220"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230536r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.1.2"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"FBI CJIS":["5.10.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294805360" onclick="return openRuleDetailsDialog('idm45662294805360')">Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" id="rule-overview-leaf-idm45662294801344" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_parameters" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5","CM-6(a)","SC-7(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","PR.DS-4","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040260"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230540r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.1.1"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","2","3","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS05.02","DSS05.05","DSS05.07","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294801344" onclick="return openRuleDetailsDialog('idm45662294801344')">Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-ipv6" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-ipv6" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">IPv6<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-ipv6");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configuring_ipv6" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_configuring_ipv6" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-ipv6"><td colspan="3" style="padding-left: 76px">Configure IPv6 Settings if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_configuring_ipv6");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" id="rule-overview-leaf-idm45662294785744" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040210"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230535r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.2"],"https://www.cisecurity.org/controls/":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294785744" onclick="return openRuleDetailsDialog('idm45662294785744')">Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref" id="rule-overview-leaf-idm45662294780832" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294780832" onclick="return openRuleDetailsDialog('idm45662294780832')">Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses" id="rule-overview-leaf-idm45662294775920" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294775920" onclick="return openRuleDetailsDialog('idm45662294775920')">Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route" id="rule-overview-leaf-idm45662294765584" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","ID.AM-3","PR.AC-5","PR.DS-5","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040250"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230539r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.1"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","4","6","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","DSS01.05","DSS03.01","DSS05.02","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294765584" onclick="return openRuleDetailsDialog('idm45662294765584')">Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations" id="rule-overview-leaf-idm45662294758592" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294758592" onclick="return openRuleDetailsDialog('idm45662294758592')">Configure Denying Router Solicitations on All IPv6 Interfaces By Default</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" id="rule-overview-leaf-idm45662294753664" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","ID.AM-3","PR.AC-5","PR.DS-5","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040240"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230538r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.2.1"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","4","6","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO13.01","DSS01.05","DSS03.01","DSS05.02","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294753664" onclick="return openRuleDetailsDialog('idm45662294753664')">Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf" id="rule-overview-leaf-idm45662294746048" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294746048" onclick="return openRuleDetailsDialog('idm45662294746048')">Configure Auto Configuration on All IPv6 Interfaces By Default</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo" id="rule-overview-leaf-idm45662294741168" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294741168" onclick="return openRuleDetailsDialog('idm45662294741168')">Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf" id="rule-overview-leaf-idm45662294734208" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294734208" onclick="return openRuleDetailsDialog('idm45662294734208')">Configure Auto Configuration on All IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr" id="rule-overview-leaf-idm45662294729344" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294729344" onclick="return openRuleDetailsDialog('idm45662294729344')">Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses" id="rule-overview-leaf-idm45662294724432" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294724432" onclick="return openRuleDetailsDialog('idm45662294724432')">Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo" id="rule-overview-leaf-idm45662294719536" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294719536" onclick="return openRuleDetailsDialog('idm45662294719536')">Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" id="rule-overview-leaf-idm45662294714624" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294714624" onclick="return openRuleDetailsDialog('idm45662294714624')">Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" id="rule-overview-leaf-idm45662294709696" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040280"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230544r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.3.2"],"https://www.cisecurity.org/controls/":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294709696" onclick="return openRuleDetailsDialog('idm45662294709696')">Disable Accepting ICMP Redirects for All IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations" id="rule-overview-leaf-idm45662294702080" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294702080" onclick="return openRuleDetailsDialog('idm45662294702080')">Configure Denying Router Solicitations on All IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr" id="rule-overview-leaf-idm45662294697168" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"ANSSI":["BP28(R22)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294697168" onclick="return openRuleDetailsDialog('idm45662294697168')">Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_logging" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_logging" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Configure Syslog</strong> <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_log_rotation" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_log_rotation" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px">Ensure All Logs are Rotated by logrotate<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_log_rotation");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_logrotate_activated" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_logrotate_activated" id="rule-overview-leaf-idm45662294650352" data-tt-parent-id="xccdf_org.ssgproject.content_group_log_rotation" data-references='{"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R43)","NT12(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.3"],"https://www.cisecurity.org/controls/":["1","14","15","16","3","5","6"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9"],"https://www.isaca.org/resources/cobit":["APO11.04","BAI03.05","DSS05.04","DSS05.07","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1"],"PCI-DSS Requirement":["Req-10.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294650352" onclick="return openRuleDetailsDialog('idm45662294650352')">Ensure Logrotate Runs Periodically</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px"><strong>Rsyslog Logs Sent To Remote Host</strong> <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" id="rule-overview-leaf-idm45662294646352" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-references='{"":["0988","1405","SRG-OS-000032-VMM-000130"],"NIST SP 800-53":["CM-6(a)","AU-4(1)","AU-9(2)"],"ANSSI":["BP28(R7)","NT28(R43)","NT12(R5)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001348","CCI-000136","CCI-001851"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000479-GPOS-00224","SRG-OS-000480-GPOS-00227","SRG-OS-000342-GPOS-00133"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-030690"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230479r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.2.1.5"],"https://www.cisecurity.org/controls/":["1","13","14","15","16","2","3","5","6"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(5)(ii)(B)","164.308(a)(5)(ii)(C)","164.308(a)(6)(ii)","164.308(a)(8)","164.310(d)(2)(iii)","164.312(b)","164.314(a)(2)(i)(C)","164.314(a)(2)(iii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 7.1","SR 7.2"],"https://www.isaca.org/resources/cobit":["APO11.04","APO13.01","BAI03.05","BAI04.04","DSS05.04","DSS05.07","MEA02.01"],"ISO 27001-2013":["A.12.1.3","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.17.2.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294646352" onclick="return openRuleDetailsDialog('idm45662294646352')">Ensure Logs Sent To Remote Host</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_remote_tls" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45662294642368" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-references='{"":["0988","1405"],"NIST SP 800-53":["AU-9(3)","CM-6(a)"],"ANSSI":["BP28(R43)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227","SRG-OS-000120-GPOS-00061"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FCS_TLSC_EXT.1","FTP_ITC_EXT.1.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294642368" onclick="return openRuleDetailsDialog('idm45662294642368')">Configure TLS for rsyslog remote logging</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45662294638400" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-references='{"":["0988","1405"],"ANSSI":["BP28(R43)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FCS_TLSC_EXT.1","FTP_ITC_EXT.1.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294638400" onclick="return openRuleDetailsDialog('idm45662294638400')">Configure CA certificate for rsyslog remote logging</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px">Ensure Proper Configuration of Log Files<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" id="rule-overview-leaf-idm45662294616640" data-tt-parent-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-references='{"":["0988","1405"],"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R46)","BP28(R5)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001314"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-10.5.1","Req-10.5.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294616640" onclick="return openRuleDetailsDialog('idm45662294616640')">Ensure Log Files Are Owned By Appropriate Group</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" id="rule-overview-leaf-idm45662294612640" data-tt-parent-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-references='{"":["0988","1405"],"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R46)","BP28(R5)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001314"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-10.5.1","Req-10.5.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294612640" onclick="return openRuleDetailsDialog('idm45662294612640')">Ensure Log Files Are Owned By Appropriate User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_permissions" id="rule-overview-leaf-idm45662294608656" data-tt-parent-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-references='{"":["0988","1405"],"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://public.cyber.mil/stigs/cci/":["CCI-001314"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.2.1.3"],"PCI-DSS Requirement":["Req-10.5.1","Req-10.5.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294608656" onclick="return openRuleDetailsDialog('idm45662294608656')">Ensure System Log Files Have Correct Permissions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed" id="rule-overview-leaf-idm45662294664400" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging" data-references='{"ANSSI":["BP28(R43)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227","SRG-OS-000120-GPOS-00061"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-030680"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230478r627750_rule"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FTP_ITC_EXT.1.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662294664400" onclick="return openRuleDetailsDialog('idm45662294664400')">Ensure rsyslog-gnutls is installed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsyslog_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsyslog_installed" id="rule-overview-leaf-idm45662294660400" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging" data-references='{"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R5)","NT28(R46)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001311","CCI-001312","CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000479-GPOS-00224","SRG-OS-000051-GPOS-00024","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-030670"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230477r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.2.1.1"],"https://www.cisecurity.org/controls/":["1","14","15","16","3","5","6"],"HIPAA":["164.312(a)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9"],"https://www.isaca.org/resources/cobit":["APO11.04","BAI03.05","DSS05.04","DSS05.07","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662294660400" onclick="return openRuleDetailsDialog('idm45662294660400')">Ensure rsyslog is Installed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="rule-overview-leaf-idm45662294656400" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging" data-references='{"NIST SP 800-53":["CM-6(a)","AU-4(1)"],"ANSSI":["BP28(R5)","NT28(R46)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.DS-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001311","CCI-001312","CCI-001557","CCI-001851","CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010561"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230298r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.2.1.2"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","2","3","5","6","7","8","9"],"HIPAA":["164.312(a)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1","SR 6.2","SR 7.1","SR 7.2"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO13.01","BAI03.05","BAI04.04","DSS01.03","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.12.1.3","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.14.2.7","A.15.2.1","A.15.2.2","A.17.2.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662294656400" onclick="return openRuleDetailsDialog('idm45662294656400')">Enable rsyslog Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_permissions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_permissions" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>File Permissions and Masks</strong> <span class="badge">2x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_files" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_files" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px"><strong>Verify Permissions on Important Files and Directories</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_permissions_important_account_files" data-tt-parent-id="xccdf_org.ssgproject.content_group_files"><td colspan="3" style="padding-left: 76px">Verify Permissions on Files with Local Account Information and Credentials<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_permissions_important_account_files");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow" id="rule-overview-leaf-idm45662294556272" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.5"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294556272" onclick="return openRuleDetailsDialog('idm45662294556272')">Verify Permissions on gshadow File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_etc_group" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_group" id="rule-overview-leaf-idm45662294549568" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.4"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"FBI CJIS":["5.5.2.2"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-8.7.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294549568" onclick="return openRuleDetailsDialog('idm45662294549568')">Verify Permissions on group File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow" id="rule-overview-leaf-idm45662294542864" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.3"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"FBI CJIS":["5.5.2.2"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-8.7.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294542864" onclick="return openRuleDetailsDialog('idm45662294542864')">Verify Permissions on shadow File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow" id="rule-overview-leaf-idm45662294536160" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.5"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294536160" onclick="return openRuleDetailsDialog('idm45662294536160')">Verify User Who Owns gshadow File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_owner_etc_shadow" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_owner_etc_shadow" id="rule-overview-leaf-idm45662294513248" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.3"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"FBI CJIS":["5.5.2.2"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-8.7.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294513248" onclick="return openRuleDetailsDialog('idm45662294513248')">Verify User Who Owns shadow File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd" id="rule-overview-leaf-idm45662294498464" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.2"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"FBI CJIS":["5.5.2.2"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-8.7.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294498464" onclick="return openRuleDetailsDialog('idm45662294498464')">Verify Permissions on passwd File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks" id="rule-overview-leaf-idm45662294604656" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R23)"],"https://public.cyber.mil/stigs/cci/":["CCI-002165"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000324-GPOS-00125"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010373"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230267r627750_rule"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294604656" onclick="return openRuleDetailsDialog('idm45662294604656')">Enable Kernel Parameter to Enforce DAC on Symlinks</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45662294595248" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"ANSSI":["BP28(R40)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010700"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230318r627750_rule"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294595248" onclick="return openRuleDetailsDialog('idm45662294595248')">Ensure All World-Writable Directories Are Owned by root user</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks" id="rule-overview-leaf-idm45662294591248" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R23)"],"https://public.cyber.mil/stigs/cci/":["CCI-002165"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000324-GPOS-00125"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010374"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230268r627750_rule"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294591248" onclick="return openRuleDetailsDialog('idm45662294591248')">Enable Kernel Parameter to Enforce DAC on Hardlinks</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid" id="rule-overview-leaf-idm45662294587248" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R37)","BP28(R38)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.14"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294587248" onclick="return openRuleDetailsDialog('idm45662294587248')">Ensure All SGID Executables Are Authorized</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid" id="rule-overview-leaf-idm45662294583248" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R37)","BP28(R38)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.13"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294583248" onclick="return openRuleDetailsDialog('idm45662294583248')">Ensure All SUID Executables Are Authorized</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" id="rule-overview-leaf-idm45662294579248" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R40)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001090"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000138-GPOS-00069"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010190"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230243r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.21"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294579248" onclick="return openRuleDetailsDialog('idm45662294579248')">Verify that All World-Writable Directories Have Sticky Bits Set</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" id="rule-overview-leaf-idm45662294575248" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R40)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.10"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294575248" onclick="return openRuleDetailsDialog('idm45662294575248')">Ensure No World-Writable Files Exist</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_partitions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_partitions" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px">Restrict Partition Mount Options<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_partitions");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_nosuid" id="rule-overview-leaf-idm45662294432064" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294432064" onclick="return openRuleDetailsDialog('idm45662294432064')">Add nosuid Option to /var</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec" id="rule-overview-leaf-idm45662294425376" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"ANSSI":["BP28(R12)"],"https://public.cyber.mil/stigs/cci/":["CCI-001764"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040134"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230522r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.10"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294425376" onclick="return openRuleDetailsDialog('idm45662294425376')">Add noexec Option to /var/tmp</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_home_noexec" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_home_noexec" id="rule-overview-leaf-idm45662294413248" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294413248" onclick="return openRuleDetailsDialog('idm45662294413248')">Add noexec Option to /home</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_noexec" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_noexec" id="rule-overview-leaf-idm45662294406560" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294406560" onclick="return openRuleDetailsDialog('idm45662294406560')">Add noexec Option to /var</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_boot_noexec" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_boot_noexec" id="rule-overview-leaf-idm45662294399872" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294399872" onclick="return openRuleDetailsDialog('idm45662294399872')">Add noexec Option to /boot</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid" id="rule-overview-leaf-idm45662294387776" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001764"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040127"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230515r627750_rule"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294387776" onclick="return openRuleDetailsDialog('idm45662294387776')">Add nosuid Option to /var/log</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid" id="rule-overview-leaf-idm45662294379008" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294379008" onclick="return openRuleDetailsDialog('idm45662294379008')">Add nosuid Option to /opt</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid" id="rule-overview-leaf-idm45662294369600" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010571"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230300r627750_rule"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294369600" onclick="return openRuleDetailsDialog('idm45662294369600')">Add nosuid Option to /boot</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec" id="rule-overview-leaf-idm45662294365616" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001764"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040128"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230516r627750_rule"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294365616" onclick="return openRuleDetailsDialog('idm45662294365616')">Add noexec Option to /var/log</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" id="rule-overview-leaf-idm45662294358912" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001764"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040125"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230513r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.5"],"https://www.cisecurity.org/controls/":["11","13","14","3","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS05.06","DSS06.06"],"ISO 27001-2013":["A.11.2.9","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.8.2.1","A.8.2.2","A.8.2.3","A.8.3.1","A.8.3.3","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294358912" onclick="return openRuleDetailsDialog('idm45662294358912')">Add noexec Option to /tmp</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" id="rule-overview-leaf-idm45662294354928" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001764"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040124"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230512r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.4"],"https://www.cisecurity.org/controls/":["11","13","14","3","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS05.06","DSS06.06"],"ISO 27001-2013":["A.11.2.9","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.8.2.1","A.8.2.2","A.8.2.3","A.8.3.1","A.8.3.3","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294354928" onclick="return openRuleDetailsDialog('idm45662294354928')">Add nosuid Option to /tmp</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid" id="rule-overview-leaf-idm45662294350944" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"ANSSI":["BP28(R12)"],"https://public.cyber.mil/stigs/cci/":["CCI-001764"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040133"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230521r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.9"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294350944" onclick="return openRuleDetailsDialog('idm45662294350944')">Add nosuid Option to /var/tmp</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" id="rule-overview-leaf-idm45662294341520" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010570"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230299r627750_rule"],"https://www.cisecurity.org/controls/":["11","13","14","3","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS05.06","DSS06.06"],"ISO 27001-2013":["A.11.2.9","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.8.2.1","A.8.2.2","A.8.2.3","A.8.3.1","A.8.3.3","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294341520" onclick="return openRuleDetailsDialog('idm45662294341520')">Add nosuid Option to /home</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions" id="rule-overview-leaf-idm45662294334832" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"ANSSI":["BP28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010580"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230301r627750_rule"],"https://www.cisecurity.org/controls/":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294334832" onclick="return openRuleDetailsDialog('idm45662294334832')">Add nodev Option to Non-Root Local Partitions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid" id="rule-overview-leaf-idm45662294330800" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"ANSSI":["BP28(R12)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294330800" onclick="return openRuleDetailsDialog('idm45662294330800')">Add nosuid Option to /srv</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px"><strong>Restrict Programs from Dangerous Execution Patterns</strong> <span class="badge">1x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_enable_nx" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_enable_nx" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions"><td colspan="3" style="padding-left: 76px"><strong>Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions" id="rule-overview-leaf-idm45662294277328" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_nx" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["SC-39","CM-6(a)"],"ANSSI":["BP28(R9)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://www.cisecurity.org/controls/":["11","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294277328" onclick="return openRuleDetailsDialog('idm45662294277328')">Enable NX or XD Support in the BIOS</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32" id="rule-overview-leaf-idm45662294273984" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_nx" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R9)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://www.cisecurity.org/controls/":["11","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294273984" onclick="return openRuleDetailsDialog('idm45662294273984')">Install PAE Kernel on Supported 32-bit x86 Systems</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_enable_execshield_settings" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions"><td colspan="3" style="padding-left: 76px">Enable ExecShield<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_enable_execshield_settings");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" id="rule-overview-leaf-idm45662294269984" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["SC-30","SC-30(2)","CM-6(a)"],"ANSSI":["BP28(R23)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-002824"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000433-GPOS-00193","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010430"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230280r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.6.2"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294269984" onclick="return openRuleDetailsDialog('idm45662294269984')">Enable Randomized Layout of Virtual Address Space</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" id="rule-overview-leaf-idm45662294265984" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" data-references='{"NIST SP 800-53":["SC-30","SC-30(2)","SC-30(5)","CM-6(a)"],"ANSSI":["BP28(R23)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067","SRG-OS-000433-GPOS-00192","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040283"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230547r627750_rule"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294265984" onclick="return openRuleDetailsDialog('idm45662294265984')">Restrict Exposed Kernel Pointer Addresses Access</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" id="rule-overview-leaf-idm45662294261984" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["SC-39","CM-6(a)"],"ANSSI":["BP28(R9)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-002530"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000433-GPOS-00192"],"https://www.cisecurity.org/controls/":["12","15","8"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","DSS05.02"],"ISO 27001-2013":["A.13.1.1","A.13.2.1","A.14.1.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294261984" onclick="return openRuleDetailsDialog('idm45662294261984')">Enable ExecShield via sysctl</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_coredumps" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_coredumps" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions"><td colspan="3" style="padding-left: 76px">Disable Core Dumps<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_coredumps");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable" id="rule-overview-leaf-idm45662294245120" data-tt-parent-id="xccdf_org.ssgproject.content_group_coredumps" data-references='{"NIST SP 800-53":["SI-11(a)","SI-11(b)"],"ANSSI":["BP28(R23)"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.6.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45662294245120" onclick="return openRuleDetailsDialog('idm45662294245120')">Disable Core Dumps for SUID programs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_cpu_time_max_percent" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_cpu_time_max_percent" id="rule-overview-leaf-idm45662294324112" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"ANSSI":["BP28(R23)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294324112" onclick="return openRuleDetailsDialog('idm45662294324112')">Limit CPU consumption of the Perf system</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_modules_disabled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45662294320096" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"ANSSI":["BP28(R24)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294320096" onclick="return openRuleDetailsDialog('idm45662294320096')">Disable loading and unloading of kernel modules</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" id="rule-overview-leaf-idm45662294316096" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"NIST SP 800-171":["3.1.5"],"NIST SP 800-53":["SI-11(a)","SI-11(b)"],"ANSSI":["BP28(R23)"],"https://public.cyber.mil/stigs/cci/":["CCI-001314"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067","SRG-OS-000138-GPOS-00069"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010375"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230269r627750_rule"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294316096" onclick="return openRuleDetailsDialog('idm45662294316096')">Restrict Access to Kernel Message Buffer</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_sysrq" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_sysrq" id="rule-overview-leaf-idm45662294306672" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"ANSSI":["BP28(R23)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294306672" onclick="return openRuleDetailsDialog('idm45662294306672')">Disallow magic SysRq key</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_pid_max" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_pid_max" id="rule-overview-leaf-idm45662294302704" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"ANSSI":["BP28(R23)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294302704" onclick="return openRuleDetailsDialog('idm45662294302704')">Configure maximum number of process identifiers</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" id="rule-overview-leaf-idm45662294296032" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"ANSSI":["BP28(R25)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040282"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230546r627750_rule"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294296032" onclick="return openRuleDetailsDialog('idm45662294296032')">Restrict usage of ptrace to descendant processes</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_max_sample_rate" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_max_sample_rate" id="rule-overview-leaf-idm45662294289328" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"ANSSI":["BP28(R23)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294289328" onclick="return openRuleDetailsDialog('idm45662294289328')">Limit sampling frequency of the Perf system</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid" id="rule-overview-leaf-idm45662294285312" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"ANSSI":["BP28(R23)"],"https://public.cyber.mil/stigs/cci/":["CCI-001090"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067","SRG-OS-000138-GPOS-00069"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010376"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230270r627750_rule"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294285312" onclick="return openRuleDetailsDialog('idm45662294285312')">Disallow kernel profiling by unprivileged users</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_vm_mmap_min_addr" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_vm_mmap_min_addr" id="rule-overview-leaf-idm45662294281312" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"ANSSI":["BP28(R23)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294281312" onclick="return openRuleDetailsDialog('idm45662294281312')">Prevent applications from mapping low portion of virtual memory</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_bootloader-grub2" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>GRUB2 bootloader configuration</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_non-uefi" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_non-uefi" data-tt-parent-id="xccdf_org.ssgproject.content_group_bootloader-grub2"><td colspan="3" style="padding-left: 57px"><strong>Non-UEFI GRUB2 bootloader configuration</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_password" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45662294213488" data-tt-parent-id="xccdf_org.ssgproject.content_group_non-uefi" data-references='{"NIST SP 800-171":["3.4.5"],"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R17)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000213"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000080-GPOS-00048"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010150"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230235r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.5.2"],"https://www.cisecurity.org/controls/":["1","11","12","14","15","16","18","3","5"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7"],"https://www.isaca.org/resources/cobit":["DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.06","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294213488" onclick="return openRuleDetailsDialog('idm45662294213488')">Set Boot Loader Password in grub2</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_uefi" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_uefi" data-tt-parent-id="xccdf_org.ssgproject.content_group_bootloader-grub2"><td colspan="3" style="padding-left: 57px">UEFI GRUB2 bootloader configuration<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_uefi");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_uefi_password" class="rule-overview-leaf rule-overview-leaf-notapplicable rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_grub2_uefi_password" id="rule-overview-leaf-idm45662294195872" data-tt-parent-id="xccdf_org.ssgproject.content_group_uefi" data-references='{"NIST SP 800-171":["3.4.5"],"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R17)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.AC-6","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000213"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000080-GPOS-00048"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010140"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230234r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.5.2"],"https://www.cisecurity.org/controls/":["11","12","14","15","16","18","3","5"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7"],"https://www.isaca.org/resources/cobit":["DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.03","DSS06.06"],"ISO 27001-2013":["A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662294195872" onclick="return openRuleDetailsDialog('idm45662294195872')">Set the UEFI Boot Loader Password</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-notapplicable"><div><abbr title="The Rule was not applicable to the target of the test. For example, the Rule might have been specific to a different version of the target OS, or it might have been a test against a platform feature that was not installed.">notapplicable</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force" id="rule-overview-leaf-idm45662294233024" data-tt-parent-id="xccdf_org.ssgproject.content_group_bootloader-grub2" data-references='{"ANSSI":["BP28(R11)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662294233024" onclick="return openRuleDetailsDialog('idm45662294233024')">IOMMU configuration directive</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_selinux" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_selinux" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>SELinux</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_selinux-booleans" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_selinux-booleans" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux"><td colspan="3" style="padding-left: 57px"><strong>SELinux - Booleans</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sebool_deny_execmem" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45662293988928" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux-booleans" data-references='{"ANSSI":["BP28(R67)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293988928" onclick="return openRuleDetailsDialog('idm45662293988928')">Enable the deny_execmem SELinux Boolean</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sebool_secure_mode_insmod" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sebool_secure_mode_insmod" id="rule-overview-leaf-idm45662293692272" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux-booleans" data-references='{"ANSSI":["BP28(R67)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293692272" onclick="return openRuleDetailsDialog('idm45662293692272')">Disable the secure_mode_insmod SELinux Boolean</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap" id="rule-overview-leaf-idm45662293648208" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux-booleans" data-references='{"ANSSI":["BP28(R67)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293648208" onclick="return openRuleDetailsDialog('idm45662293648208')">Disable the selinuxuser_execheap SELinux Boolean</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sebool_polyinstantiation_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sebool_polyinstantiation_enabled" id="rule-overview-leaf-idm45662293611760" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux-booleans" data-references='{"ANSSI":["BP28(R39)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293611760" onclick="return openRuleDetailsDialog('idm45662293611760')">Disable the polyinstantiation_enabled SELinux Boolean</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execstack" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execstack" id="rule-overview-leaf-idm45662293604848" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux-booleans" data-references='{"ANSSI":["BP28(R67)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293604848" onclick="return openRuleDetailsDialog('idm45662293604848')">disable the selinuxuser_execstack SELinux Boolean</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sebool_ssh_sysadm_login" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sebool_ssh_sysadm_login" id="rule-overview-leaf-idm45662293536848" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux-booleans" data-references='{"ANSSI":["BP28(R67)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293536848" onclick="return openRuleDetailsDialog('idm45662293536848')">Disable the ssh_sysadm_login SELinux Boolean</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_setroubleshoot-plugins_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_setroubleshoot-plugins_removed" id="rule-overview-leaf-idm45662294161408" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"ANSSI":["BP28(R68)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662294161408" onclick="return openRuleDetailsDialog('idm45662294161408')">Uninstall setroubleshoot-plugins Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_setroubleshoot-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_setroubleshoot-server_removed" id="rule-overview-leaf-idm45662294157392" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"ANSSI":["BP28(R68)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662294157392" onclick="return openRuleDetailsDialog('idm45662294157392')">Uninstall setroubleshoot-server Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed" id="rule-overview-leaf-idm45662294153392" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"ANSSI":["BP28(R68)"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.7.1.6"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662294153392" onclick="return openRuleDetailsDialog('idm45662294153392')">Uninstall setroubleshoot Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_policytype" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_selinux_policytype" id="rule-overview-leaf-idm45662294149392" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"":["SRG-OS-000445-VMM-001780"],"NIST SP 800-171":["3.1.2","3.7.2"],"NIST SP 800-53":["AC-3","AC-3(3)(a)","AU-9","SC-7(21)"],"ANSSI":["BP28(R66)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","ID.AM-3","PR.AC-4","PR.AC-5","PR.AC-6","PR.DS-5","PR.PT-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-002165","CCI-002696"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000445-GPOS-00199"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010450"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230282r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.7.1.3"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","3","4","5","6","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.2.2","4.3.3.3.9","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.10","SR 2.11","SR 2.12","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO11.04","APO13.01","BAI03.05","DSS01.05","DSS03.01","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.03","DSS06.06","MEA02.01"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662294149392" onclick="return openRuleDetailsDialog('idm45662294149392')">Configure SELinux Policy</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_state" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_selinux_state" id="rule-overview-leaf-idm45662294132368" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"":["SRG-OS-000445-VMM-001780"],"NIST SP 800-171":["3.1.2","3.7.2"],"NIST SP 800-53":["AC-3","AC-3(3)(a)","AU-9","SC-7(21)"],"ANSSI":["BP28(R4)","BP28(R66)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","ID.AM-3","PR.AC-4","PR.AC-5","PR.AC-6","PR.DS-5","PR.PT-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-002165","CCI-002696"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000445-GPOS-00199"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010170"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230240r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.7.1.4"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","3","4","5","6","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.2.2","4.3.3.3.9","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.10","SR 2.11","SR 2.12","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO01.06","APO11.04","APO13.01","BAI03.05","DSS01.05","DSS03.01","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.03","DSS06.06","MEA02.01"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662294132368" onclick="return openRuleDetailsDialog('idm45662294132368')">Ensure SELinux State is Enforcing</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_services" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_services" data-tt-parent-id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><td colspan="3" style="padding-left: 19px">Services<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_services");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mail" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Mail Server Software<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_mail");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_client" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client" data-tt-parent-id="xccdf_org.ssgproject.content_group_mail"><td colspan="3" style="padding-left: 57px">Configure SMTP For Mail Clients<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_postfix_client");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias" id="rule-overview-leaf-idm45662293434656" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_client" data-references='{"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R49)"],"https://public.cyber.mil/stigs/cci/":["CCI-000139","CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000046-GPOS-00022"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-030030"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230389r627750_rule"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293434656" onclick="return openRuleDetailsDialog('idm45662293434656')">Configure System to Forward All Mail For The Root Account</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled" id="rule-overview-leaf-idm45662293429808" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_client" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R48)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000382"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.2.18"],"https://www.cisecurity.org/controls/":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293429808" onclick="return openRuleDetailsDialog('idm45662293429808')">Disable Postfix Network Listening</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_sendmail_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_sendmail_removed" id="rule-overview-leaf-idm45662293442768" data-tt-parent-id="xccdf_org.ssgproject.content_group_mail" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000381"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227","SRG-OS-000095-GPOS-00049"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040002"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230489r627750_rule"],"https://www.cisecurity.org/controls/":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662293442768" onclick="return openRuleDetailsDialog('idm45662293442768')">Uninstall Sendmail Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ssh" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ssh" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">SSH Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ssh");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ssh_server" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh"><td colspan="3" style="padding-left: 57px">Configure OpenSSH Server if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ssh_server");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_root_login" id="rule-overview-leaf-idm45662293182000" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["AC-6(2)","AC-17(a)","IA-2","IA-2(5)","CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R19)","NT007(R21)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.DS-5","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-000770"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000109-GPOS-00056","SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010550"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230296r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.10"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","3","5"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.02","DSS06.03","DSS06.06","DSS06.10"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.18.1.4","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293182000" onclick="return openRuleDetailsDialog('idm45662293182000')">Disable SSH Root Login</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" id="rule-overview-leaf-idm45662293153536" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.11"],"NIST SP 800-53":["CM-6(a)","AC-17(a)","AC-2(5)","AC-12","AC-17(a)","SC-10","CM-6(a)"],"ANSSI":["BP28(R29)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.IP-2"],"https://public.cyber.mil/stigs/cci/":["CCI-000879","CCI-001133","CCI-002361"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000126-GPOS-00066","SRG-OS-000163-GPOS-00072","SRG-OS-000279-GPOS-00109","SRG-OS-000395-GPOS-00175"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010200"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230244r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.13"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","3","5","7","8"],"FBI CJIS":["5.5.6"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 6.2"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI03.01","BAI03.02","BAI03.03","DSS01.03","DSS03.05","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.12.4.1","A.12.4.3","A.14.1.1","A.14.2.1","A.14.2.5","A.18.1.4","A.6.1.2","A.6.1.5","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-8.1.8"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293153536" onclick="return openRuleDetailsDialog('idm45662293153536')">Set SSH Idle Timeout Interval</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive" id="rule-overview-leaf-idm45662293114672" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.11"],"NIST SP 800-53":["AC-2(5)","AC-12","AC-17(a)","SC-10","CM-6(a)"],"ANSSI":["BP28(R29)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.IP-2"],"https://public.cyber.mil/stigs/cci/":["CCI-000879","CCI-001133","CCI-002361"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000163-GPOS-00072","SRG-OS-000279-GPOS-00109"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.13"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","3","5","7","8"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 6.2"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI03.01","BAI03.02","BAI03.03","DSS01.03","DSS03.05","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.12.4.1","A.12.4.3","A.14.1.1","A.14.2.1","A.14.2.5","A.18.1.4","A.6.1.2","A.6.1.5","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-8.1.8"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662293114672" onclick="return openRuleDetailsDialog('idm45662293114672')">Set SSH Client Alive Count Max</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" id="rule-overview-leaf-idm45662293233344" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh" data-references='{"NIST SP 800-171":["3.1.13","3.13.10"],"NIST SP 800-53":["AC-17(a)","CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-010490"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230287r627750_rule"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.3"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662293233344" onclick="return openRuleDetailsDialog('idm45662293233344')">Verify Permissions on SSH Server Private *_key Key Files</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ntp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ntp" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Network Time Protocol<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ntp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_chrony_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_chrony_installed" id="rule-overview-leaf-idm45662292904944" data-tt-parent-id="xccdf_org.ssgproject.content_group_ntp" data-references='{"":["0988","1405"],"ANSSI":["BP28(R43)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000355-GPOS-00143"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.2.1.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662292904944" onclick="return openRuleDetailsDialog('idm45662292904944')">The Chrony package is installed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server" id="rule-overview-leaf-idm45662292879888" data-tt-parent-id="xccdf_org.ssgproject.content_group_ntp" data-references='{"":["0988","1405"],"ANSSI":["BP28(R43)"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.2.1.2"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45662292879888" onclick="return openRuleDetailsDialog('idm45662292879888')">A remote time server for Chrony is configured</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_obsolete" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Obsolete Services<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_obsolete");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_r_services" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Rlogin, Rsh, and Rexec<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_r_services");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed" id="rule-overview-leaf-idm45662292836352" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","IA-5(1)(c)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000381"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040010"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230492r627750_rule"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292836352" onclick="return openRuleDetailsDialog('idm45662292836352')">Uninstall rsh-server Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed" id="rule-overview-leaf-idm45662292832352" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"NIST SP 800-171":["3.1.13"],"ANSSI":["BP28(R1)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"ISO 27001-2013":["A.8.2.3","A.13.1.1","A.13.2.1","A.13.2.3","A.14.1.2","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292832352" onclick="return openRuleDetailsDialog('idm45662292832352')">Uninstall rsh Package</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nis" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">NIS<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_nis");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ypbind_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_ypbind_removed" id="rule-overview-leaf-idm45662292812208" data-tt-parent-id="xccdf_org.ssgproject.content_group_nis" data-references='{"ANSSI":["BP28(R1)"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.3.1"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292812208" onclick="return openRuleDetailsDialog('idm45662292812208')">Remove NIS Client</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ypserv_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_ypserv_removed" id="rule-overview-leaf-idm45662292808224" data-tt-parent-id="xccdf_org.ssgproject.content_group_nis" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","IA-5(1)(c)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000381"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.2.17"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292808224" onclick="return openRuleDetailsDialog('idm45662292808224')">Uninstall ypserv Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_telnet" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_telnet" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Telnet<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_telnet");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed" id="rule-overview-leaf-idm45662292801536" data-tt-parent-id="xccdf_org.ssgproject.content_group_telnet" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000381"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040000"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230487r627750_rule"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292801536" onclick="return openRuleDetailsDialog('idm45662292801536')">Uninstall telnet-server Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed" id="rule-overview-leaf-idm45662292797536" data-tt-parent-id="xccdf_org.ssgproject.content_group_telnet" data-references='{"NIST SP 800-171":["3.1.13"],"ANSSI":["BP28(R1)"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.3.2"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"ISO 27001-2013":["A.8.2.3","A.13.1.1","A.13.2.1","A.13.2.3","A.14.1.2","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292797536" onclick="return openRuleDetailsDialog('idm45662292797536')">Remove telnet Clients</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Xinetd<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_inetd_and_xinetd");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_xinetd_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_xinetd_removed" id="rule-overview-leaf-idm45662292790848" data-tt-parent-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000305"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.1.1"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292790848" onclick="return openRuleDetailsDialog('idm45662292790848')">Uninstall xinetd Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_talk" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Chat/Messaging Services<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_talk");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_talk-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_talk-server_removed" id="rule-overview-leaf-idm45662292784160" data-tt-parent-id="xccdf_org.ssgproject.content_group_talk" data-references='{"ANSSI":["BP28(R1)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292784160" onclick="return openRuleDetailsDialog('idm45662292784160')">Uninstall talk-server Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_talk_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_talk_removed" id="rule-overview-leaf-idm45662292780160" data-tt-parent-id="xccdf_org.ssgproject.content_group_talk" data-references='{"ANSSI":["BP28(R1)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292780160" onclick="return openRuleDetailsDialog('idm45662292780160')">Uninstall talk Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_tftp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_tftp" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">TFTP Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_tftp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_tftp-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_tftp-server_removed" id="rule-overview-leaf-idm45662292776192" data-tt-parent-id="xccdf_org.ssgproject.content_group_tftp" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000318","CCI-000366","CCI-000368","CCI-001812","CCI-001813","CCI-001814"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux":["RHEL-08-040190"],"https://public.cyber.mil/stigs/srg-stig-tools/":["SV-230533r627750_rule"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292776192" onclick="return openRuleDetailsDialog('idm45662292776192')">Uninstall tftp-server Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_tftp_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_tftp_removed" id="rule-overview-leaf-idm45662292772192" data-tt-parent-id="xccdf_org.ssgproject.content_group_tftp" data-references='{"ANSSI":["BP28(R1)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292772192" onclick="return openRuleDetailsDialog('idm45662292772192')">Remove tftp Daemon</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dhcp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_dhcp" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">DHCP<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_dhcp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server" data-tt-parent-id="xccdf_org.ssgproject.content_group_dhcp"><td colspan="3" style="padding-left: 57px">Disable DHCP Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_dhcp_server");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_dhcp_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed" id="rule-overview-leaf-idm45662292762832" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://www.cisecurity.org/controls/":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45662292762832" onclick="return openRuleDetailsDialog('idm45662292762832')">Uninstall DHCP Server Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr></tbody></table></div><div class="js-only hidden-print"><button type="button" class="btn btn-info" onclick="return toggleResultDetails(this)">Show all result details</button></div><div id="result-details"><h2>Result Details</h2><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_aide_installed" id="rule-detail-idm45662296184064"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install AIDExccdf_org.ssgproject.content_rule_package_aide_installed mediumCCE-80844-4 </div><div class="panel-heading"><h3 class="panel-title">Install AIDE</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_aide_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_aide_installed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80844-4">CCE-80844-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R51)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.4.1</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.3</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI02.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS04.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002699</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001744</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="">1034</a>, <a href="">1288</a>, <a href="">1341</a>, <a href="">1417</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-3</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000363-GPOS-00150</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010360</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230263r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>aide</code> package can be installed with the following command: <pre> $ sudo yum install aide</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The AIDE package must be installed if it is to be available for integrity checking.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package aide is installed</span> <span class="label label-default">oval:ssg-test_package_aide_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>aide</td><td>x86_64</td><td>(none)</td><td>14.el8</td><td>0.16</td><td>0:0.16-14.el8</td><td>199e2f91fd431d51</td><td>aide-0:0.16-14.el8.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="rule-detail-idm45662296180080"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Build and Test AIDE Databasexccdf_org.ssgproject.content_rule_aide_build_database mediumCCE-80675-2 </div><div class="panel-heading"><h3 class="panel-title">Build and Test AIDE Database</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_build_database</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-aide_build_database:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80675-2">CCE-80675-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R51)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.3</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI02.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS04.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-3</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a></p></td></tr><tr><td>Description</td><td><div class="description">Run the following command to generate a new database: <pre>$ sudo /usr/sbin/aide --init</pre> By default, the database will be written to the file <code>/var/lib/aide/aide.db.new.gz</code>. Storing the database, the configuration file <code>/etc/aide.conf</code>, and the binary <code>/usr/sbin/aide</code> (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: <pre>$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz</pre> To initiate a manual check, run the following command: <pre>$ sudo /usr/sbin/aide --check</pre> If this check produces any unexpected output, investigate.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package aide is installed</span> <span class="label label-default">oval:ssg-test_package_aide_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>aide</td><td>x86_64</td><td>(none)</td><td>14.el8</td><td>0.16</td><td>0:0.16-14.el8</td><td>199e2f91fd431d51</td><td>aide-0:0.16-14.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Testing existence of new aide database file</span> <span class="label label-default">oval:ssg-test_aide_build_new_database_absolute_path:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/var/lib/aide/aide.db.new.gz</td><td>regular</td><td>0</td><td>0</td><td>7828689</td><td><code>rw------- </code></td></tr></tbody></table><h4><span class="label label-primary">Testing existence of operational aide database file</span> <span class="label label-default">oval:ssg-test_aide_operational_database_absolute_path:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/var/lib/aide/aide.db.gz</td><td>regular</td><td>0</td><td>0</td><td>7828689</td><td><code>rw------- </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" id="rule-detail-idm45662296176112"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Periodic Execution of AIDExccdf_org.ssgproject.content_rule_aide_periodic_cron_checking mediumCCE-80676-0 </div><div class="panel-heading"><h3 class="panel-title">Configure Periodic Execution of AIDE</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-aide_periodic_cron_checking:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80676-0">CCE-80676-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R51)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.4.2</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.3</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI02.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS04.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001744</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002699</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002702</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-3</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000363-GPOS-00150</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000446-GPOS-00200</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000447-GPOS-00201</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to <code>/etc/crontab</code>: <pre>05 4 * * * root /usr/sbin/aide --check</pre> To implement a weekly execution of AIDE at 4:05am using cron, add the following line to <code>/etc/crontab</code>: <pre>05 4 * * 0 root /usr/sbin/aide --check</pre> AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as <code>@daily</code> and <code>@weekly</code> is acceptable.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. <br><br> Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. <br><br> Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package aide is installed</span> <span class="label label-default">oval:ssg-test_package_aide_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>aide</td><td>x86_64</td><td>(none)</td><td>14.el8</td><td>0.16</td><td>0:0.16-14.el8</td><td>199e2f91fd431d51</td><td>aide-0:0.16-14.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">run aide with cron</span> <span class="label label-default">oval:ssg-test_aide_periodic_cron_checking:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/crontab</td><td>05 4 * * * root /usr/sbin/aide --check</td></tr><tr><td>/etc/crontab</td><td>0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost</td></tr></tbody></table><h4><span class="label label-primary">run aide with cron</span> <span class="label label-default">oval:ssg-test_aide_crond_checking:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="run aide with cron">oval:ssg-object_test_aide_crond_checking:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/cron.d</td><td>^.*$</td><td>^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">run aide with cron</span> <span class="label label-default">oval:ssg-test_aide_var_cron_checking:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="run aide with cron">oval:ssg-object_aide_var_cron_checking:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/var/spool/cron/root</td><td>^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*(root)?[\s]*/usr/sbin/aide[\s]*\-\-check.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">run aide with cron.(daily|weekly)</span> <span class="label label-default">oval:ssg-test_aide_crontabs_checking:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="run aide with cron.(daily|weekly)">oval:ssg-object_aide_crontabs_checking:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/cron.(daily|weekly)$</td><td>^.*$</td><td>^\s*/usr/sbin/aide[\s]*\-\-check.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_aide_scan_notification" id="rule-detail-idm45662296172112"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Notification of Post-AIDE Scan Detailsxccdf_org.ssgproject.content_rule_aide_scan_notification mediumCCE-82891-3 </div><div class="panel-heading"><h3 class="panel-title">Configure Notification of Post-AIDE Scan Details</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_scan_notification</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-aide_scan_notification:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82891-3">CCE-82891-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R51)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001744</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002702</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(5)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000363-GPOS-00150</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000447-GPOS-00201</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010360</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230263r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in <code>/etc/crontab</code>, append the following line to the existing AIDE line: <pre> | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost</pre> Otherwise, add the following line to <code>/etc/crontab</code>: <pre>05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost</pre> AIDE can be executed periodically through other means; this is merely one example.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. <br><br> Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package aide is installed</span> <span class="label label-default">oval:ssg-test_package_aide_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>aide</td><td>x86_64</td><td>(none)</td><td>14.el8</td><td>0.16</td><td>0:0.16-14.el8</td><td>199e2f91fd431d51</td><td>aide-0:0.16-14.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">notify personnel when aide completes</span> <span class="label label-default">oval:ssg-test_aide_scan_notification:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/crontab</td><td>0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost</td></tr></tbody></table><h4><span class="label label-primary">notify personnel when aide completes</span> <span class="label label-default">oval:ssg-test_aide_var_cron_notification:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="notify personnel when aide completes">oval:ssg-object_aide_var_cron_notification:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/var/spool/cron/root</td><td>^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">notify personnel when aide completes in cron.(daily|weekly|monthly)</span> <span class="label label-default">oval:ssg-test_aide_crontabs_notification:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="notify personnel when aide completes in cron.(d|daily|weekly|monthly)">oval:ssg-object_aide_crontabs_notification:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/cron.(d|daily|weekly|monthly)$</td><td>^.*$</td><td>^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes" id="rule-detail-idm45662296168128"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure AIDE to Verify Extended Attributesxccdf_org.ssgproject.content_rule_aide_verify_ext_attributes lowCCE-83733-6 </div><div class="panel-heading"><h3 class="panel-title">Configure AIDE to Verify Extended Attributes</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-aide_verify_ext_attributes:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83733-6">CCE-83733-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R51)</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040300</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230551r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, the <code>xattrs</code> option is added to the <code>FIPSR</code> ruleset in AIDE. If using a custom ruleset or the <code>xattrs</code> option is missing, add <code>xattrs</code> to the appropriate ruleset. For example, add <code>xattrs</code> to the following line in <code>/etc/aide.conf</code>: <pre>FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256</pre> AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds <code>xattrs</code> to all rule sets available in <code>/etc/aide.conf</code></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package aide is installed</span> <span class="label label-default">oval:ssg-test_package_aide_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>aide</td><td>x86_64</td><td>(none)</td><td>14.el8</td><td>0.16</td><td>0:0.16-14.el8</td><td>199e2f91fd431d51</td><td>aide-0:0.16-14.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">xattrs is set in /etc/aide.conf</span> <span class="label label-default">oval:ssg-test_aide_verify_ext_attributes:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/aide.conf</td><td>DIR = p+i+n+u+g+acl+selinux+xattrs</td></tr><tr><td>/etc/aide.conf</td><td>PERMS = p+u+g+acl+selinux+xattrs</td></tr><tr><td>/etc/aide.conf</td><td>EVERYTHING = R+ALLXTRAHASHES+xattrs+acl</td></tr><tr><td>/etc/aide.conf</td><td>NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512</td></tr><tr><td>/etc/aide.conf</td><td>LOG = p+u+g+n+S+acl+selinux+xattrs</td></tr><tr><td>/etc/aide.conf</td><td>CONTENT = sha512+ftype+xattrs+acl</td></tr><tr><td>/etc/aide.conf</td><td>CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs</td></tr><tr><td>/etc/aide.conf</td><td>DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_aide_verify_acls" id="rule-detail-idm45662296164128"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure AIDE to Verify Access Control Lists (ACLs)xccdf_org.ssgproject.content_rule_aide_verify_acls lowCCE-84220-3 </div><div class="panel-heading"><h3 class="panel-title">Configure AIDE to Verify Access Control Lists (ACLs)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_verify_acls</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-aide_verify_acls:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84220-3">CCE-84220-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R51)</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040310</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230552r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, the <code>acl</code> option is added to the <code>FIPSR</code> ruleset in AIDE. If using a custom ruleset or the <code>acl</code> option is missing, add <code>acl</code> to the appropriate ruleset. For example, add <code>acl</code> to the following line in <code>/etc/aide.conf</code>: <pre>FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256</pre> AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds <code>acl</code> to all rule sets available in <code>/etc/aide.conf</code></div></td></tr><tr><td>Rationale</td><td><div class="rationale">ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package aide is installed</span> <span class="label label-default">oval:ssg-test_package_aide_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>aide</td><td>x86_64</td><td>(none)</td><td>14.el8</td><td>0.16</td><td>0:0.16-14.el8</td><td>199e2f91fd431d51</td><td>aide-0:0.16-14.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">acl is set in /etc/aide.conf</span> <span class="label label-default">oval:ssg-test_aide_verify_acls:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/aide.conf</td><td>DIR = p+i+n+u+g+acl+selinux+xattrs</td></tr><tr><td>/etc/aide.conf</td><td>PERMS = p+u+g+acl+selinux+xattrs</td></tr><tr><td>/etc/aide.conf</td><td>EVERYTHING = R+ALLXTRAHASHES+xattrs+acl</td></tr><tr><td>/etc/aide.conf</td><td>NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512</td></tr><tr><td>/etc/aide.conf</td><td>LOG = p+u+g+n+S+acl+selinux+xattrs</td></tr><tr><td>/etc/aide.conf</td><td>CONTENT = sha512+ftype+xattrs+acl</td></tr><tr><td>/etc/aide.conf</td><td>CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs</td></tr><tr><td>/etc/aide.conf</td><td>DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_sudo_installed" id="rule-detail-idm45662296088240"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install sudo Packagexccdf_org.ssgproject.content_rule_package_sudo_installed mediumCCE-82214-8 </div><div class="panel-heading"><h3 class="panel-title">Install sudo Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_sudo_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_sudo_installed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82214-8">CCE-82214-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R19)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.3.1</a>, <a href="">1382</a>, <a href="">1384</a>, <a href="">1386</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>sudo</code> package can be installed with the following command: <pre> $ sudo yum install sudo</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><code>sudo</code> is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package sudo is installed</span> <span class="label label-default">oval:ssg-test_package_sudo_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>sudo</td><td>x86_64</td><td>(none)</td><td>7.el8</td><td>1.8.29</td><td>0:1.8.29-7.el8</td><td>199e2f91fd431d51</td><td>sudo-0:1.8.29-7.el8.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot" id="rule-detail-idm45662296081536"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure sudo Ignores Commands In Current Dir - sudo ignore_dotxccdf_org.ssgproject.content_rule_sudo_add_ignore_dot mediumCCE-83810-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_add_ignore_dot:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83810-2">CCE-83810-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R58)</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>ignore_dot</code> tag, when specified, will ignore the current directory in the PATH environment variable. On Red Hat Enterprise Linux 8, <code>env_reset</code> is enabled by default This should be enabled by making sure that the <code>ignore_dot</code> tag exists in <code>/etc/sudoers</code> configuration file or any sudo configuration snippets in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Ignoring the commands in the user's current directory prevents an attacker from executing commands downloaded locally.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">ignore_dot exists in /etc/sudoers or /etc/sudoers.d/</span> <span class="label label-default">oval:ssg-test_ignore_dot_sudoers:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_ignore_dot_sudoers:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/sudoers(|\.d/.*)$</td><td>^[\s]*Defaults.*\bignore_dot\b.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_add_noexec" id="rule-detail-idm45662296077568"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXECxccdf_org.ssgproject.content_rule_sudo_add_noexec highCCE-83747-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_add_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_add_noexec:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83747-6">CCE-83747-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R58)</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>NOEXEC</code> tag, when specified, prevents user executed commands from executing other commands, like a shell for example. This should be enabled by making sure that the <code>NOEXEC</code> tag exists in <code>/etc/sudoers</code> configuration file or any sudo configuration snippets in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Restricting the capability of sudo allowed commands to execute sub-commands prevents users from running programs with privileges they wouldn't have otherwise.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec exists in /etc/sudoers or /etc/sudoers.d/</span> <span class="label label-default">oval:ssg-test_noexec_sudoers:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>Defaults noexec</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_add_passwd_timeout" id="rule-detail-idm45662296073600"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure sudo passwd_timeout is appropriate - sudo passwd_timeoutxccdf_org.ssgproject.content_rule_sudo_add_passwd_timeout mediumCCE-83964-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_add_passwd_timeout</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_add_passwd_timeout:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83964-7">CCE-83964-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R58)</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>passwd_timeout</code> tag sets the amount of time sudo password prompt waits. On Red Hat Enterprise Linux 8, the default <code>passwd_timeout</code> value is 5 minutes. The passwd_timeout should be configured by making sure that the <code>passwd_timeout=sub_var_value("var_sudo_passwd_timeout")</code> tag exists in <code>/etc/sudoers</code> configuration file or any sudo configuration snippets in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Reducing the time <code>sudo</code> waits for a a password reduces the time the process is exposed.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">passwd_timeout exists in /etc/sudoers or /etc/sudoers.d/</span> <span class="label label-default">oval:ssg-test_passwd_timeout_sudoers:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>Defaults passwd_timeout=1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudoers_no_command_negation" id="rule-detail-idm45662296066096"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Don't define allowed commands in sudoers by means of exclusionxccdf_org.ssgproject.content_rule_sudoers_no_command_negation mediumCCE-83518-1 </div><div class="panel-heading"><h3 class="panel-title">Don't define allowed commands in sudoers by means of exclusion</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudoers_no_command_negation</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudoers_no_command_negation:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83518-1">CCE-83518-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R61)</a></p></td></tr><tr><td>Description</td><td><div class="description">Policies applied by sudo through the sudoers file should not involve negation. Each user specification in the <code>sudoers</code> file contains a comma-delimited list of command specifications. The definition can make use glob patterns, as well as of negations. Indirect definition of those commands by means of exclusion of a set of commands is trivial to bypass, so it is not allowed to use such constructs.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Specifying access right using negation is inefficient and can be easily circumvented. For example, it is expected that a specification like <pre> # To avoid absolutely , this rule can be easily circumvented! user ALL = ALL ,!/ bin/sh </pre> prevents the execution of the shell but thatâs not the case: just copy the binary <code>/bin/sh</code> to a different name to make it executable again through the rule keyword <code>ALL</code>.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> This rule doesn't come with a remediation, as negations indicate design issues with the sudoers user specifications design. Just removing negations doesn't increase the security - you typically have to rethink the definition of allowed commands to fix the issue.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Make sure that no command in user spec contains negation</span> <span class="label label-default">oval:ssg-test_sudoers_no_command_negation:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sudoers_no_command_negation:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/sudoers(\.d/.*)?$</td><td>^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,!\n][^,\n]+,)*\s*(?:\([^\)]+\))?\s*(?!\s*\()(!\S+).*</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="rule-detail-idm45662296062096"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_ptyxccdf_org.ssgproject.content_rule_sudo_add_use_pty mediumCCE-83798-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_add_use_pty</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_add_use_pty:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83798-9">CCE-83798-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R58)</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the <code>use_pty</code> tag exists in <code>/etc/sudoers</code> configuration file or any sudo configuration snippets in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining access to the user's terminal after the main program has finished executing.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">use_pty exists in /etc/sudoers or /etc/sudoers.d/</span> <span class="label label-default">oval:ssg-test_use_pty_sudoers:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>Defaults use_pty</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_add_requiretty" id="rule-detail-idm45662296055424"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requirettyxccdf_org.ssgproject.content_rule_sudo_add_requiretty mediumCCE-83790-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_add_requiretty</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_add_requiretty:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83790-6">CCE-83790-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R58)</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>requiretty</code> tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the <code>requiretty</code> tag exists in <code>/etc/sudoers</code> configuration file or any sudo configuration snippets in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Restricting the use cases in which a user is allowed to execute sudo commands reduces the attack surface.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">requiretty exists in /etc/sudoers or /etc/sudoers.d/</span> <span class="label label-default">oval:ssg-test_requiretty_sudoers:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>Defaults requiretty</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="rule-detail-idm45662296051456"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure sudo Runs In A Minimal Environment - sudo env_resetxccdf_org.ssgproject.content_rule_sudo_add_env_reset mediumCCE-83820-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure sudo Runs In A Minimal Environment - sudo env_reset</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_add_env_reset</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_add_env_reset:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83820-1">CCE-83820-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R58)</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment, containing the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER and SUDO_* variables. On Red Hat Enterprise Linux 8, <code>env_reset</code> is enabled by default This should be enabled by making sure that the <code>env_reset</code> tag exists in <code>/etc/sudoers</code> configuration file or any sudo configuration snippets in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Forcing sudo to reset the environment ensures that environment variables are not passed on to the command accidentaly, preventing leak of potentially sensitive information.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">env_reset exists in /etc/sudoers or /etc/sudoers.d/</span> <span class="label label-default">oval:ssg-test_env_reset_sudoers:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td> Defaults env_reset</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_add_umask" id="rule-detail-idm45662296047488"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure sudo umask is appropriate - sudo umaskxccdf_org.ssgproject.content_rule_sudo_add_umask mediumCCE-83860-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure sudo umask is appropriate - sudo umask</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_add_umask</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_add_umask:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83860-7">CCE-83860-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R58)</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>umask</code> tag, when specified, will be added the to the user's umask in the command environment. On Red Hat Enterprise Linux 8, the default <code>umask</code> value is 0022. The umask should be configured by making sure that the <code>umask=sub_var_value("var_sudo_umask")</code> tag exists in <code>/etc/sudoers</code> configuration file or any sudo configuration snippets in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">umask exists in /etc/sudoers or /etc/sudoers.d/</span> <span class="label label-default">oval:ssg-test_umask_sudoers:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>Defaults umask=0027</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sudoers_explicit_command_args" id="rule-detail-idm45662296040000"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Explicit arguments in sudo specificationsxccdf_org.ssgproject.content_rule_sudoers_explicit_command_args mediumCCE-83632-0 </div><div class="panel-heading"><h3 class="panel-title">Explicit arguments in sudo specifications</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudoers_explicit_command_args</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudoers_explicit_command_args:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83632-0">CCE-83632-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R63)</a></p></td></tr><tr><td>Description</td><td><div class="description">All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user. If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Any argument can modify quite significantly the behavior of a program, whether regarding the realized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To avoid any possibility of misuse of a command by a user, the ambiguities must be removed at the level of its specification. For example, on some systems, the kernel messages are only accessible by root. If a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted in order to prevent the user from flushing the buffer through the -c option: <pre> user ALL = dmesg "" </pre></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> This rule doesn't come with a remediation, as absence of arguments in the user spec doesn't mean that the command is intended to be executed with no arguments.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> The rule can produce false findings when an argument contains a comma - sudoers syntax allows comma escaping using backslash, but the check doesn't support that. For example, <code>root ALL=(ALL) echo 1\,2</code> allows root to execute <code>echo 1,2</code>, but the check would interpret it as two commands <code>echo 1\</code> and <code>2</code>.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Make sure that no command in user spec is without any argument</span> <span class="label label-default">oval:ssg-test_sudoers_explicit_command_args:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td> Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_dedicated_group" id="rule-detail-idm45662296036000"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure a dedicated group owns sudoxccdf_org.ssgproject.content_rule_sudo_dedicated_group mediumCCE-83982-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure a dedicated group owns sudo</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_dedicated_group</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_dedicated_group:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83982-9">CCE-83982-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R57)</a></p></td></tr><tr><td>Description</td><td><div class="description">Restrict the execution of privilege escalated commands to a dedicated group of users. Ensure the group owner of /usr/bin/sudo is <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_sudo_dedicated_group">sudogrp</abbr>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Restricting the set of users able to execute commands as privileged user reduces the attack surface.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> Changing group owner of <code>/usr/bin/sudo</code> to a group with no member users will prevent any and all escalatation of privileges. Additionally, the system may become unmanageable if root logins are not allowed.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> This rule doesn't come with a remediation, before remediating the sysadmin needs to add users to the dedicated sudo group.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check if dedicated group is listed in /etc/group</span> <span class="label label-default">oval:ssg-test_dedicated_group_exists:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Grab GID of group set in var_sudo_dedicated_group">oval:ssg-sudo_dedicated_group_gid:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>sudogrp</td></tr><tr><td>^sudogrp:x:(\d+):.*$</td></tr></table></td><td>/etc/group</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check /usr/bin/sudo is owned by group defined in var_sudo_dedicated_group </span> <span class="label label-default">oval:ssg-test_sudo_owned_by_dedicated_group:tst:1</span> <span class="label label-danger">error</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/usr/bin/sudo</td><td>regular</td><td>0</td><td>0</td><td>165640</td><td><code>--s--x--x </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="rule-detail-idm45662296031200"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticatexccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate mediumCCE-82202-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_remove_no_authenticate:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82202-3">CCE-82202-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R59)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002038</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00156</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00157</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00158</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010381</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230272r627750_rule</a>, <a href="">SRG-OS-000373-VMM-001470</a>, <a href="">SRG-OS-000373-VMM-001480</a>, <a href="">SRG-OS-000373-VMM-001490</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the <code>!authenticate</code> option does not exist in <code>/etc/sudoers</code> configuration file or any sudo configuration snippets in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Without re-authentication, users may access resources or perform tasks for which they do not have authorization. <br><br> When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">!authenticate does not exist in /etc/sudoers</span> <span class="label label-default">oval:ssg-test_no_authenticate_etc_sudoers:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_no_authenticate_etc_sudoers:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>^(?!#).*[\s]+\!authenticate.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">!authenticate does not exist in /etc/sudoers.d</span> <span class="label label-default">oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers.d</td><td>^.*$</td><td>^(?!#).*[\s]+\!authenticate.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sudoers_no_root_target" id="rule-detail-idm45662296027200"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Don't target root user in the sudoers filexccdf_org.ssgproject.content_rule_sudoers_no_root_target mediumCCE-83598-3 </div><div class="panel-heading"><h3 class="panel-title">Don't target root user in the sudoers file</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudoers_no_root_target</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudoers_no_root_target:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:25+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83598-3">CCE-83598-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R60)</a></p></td></tr><tr><td>Description</td><td><div class="description">The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root). User specifications have to explicitly list the runas spec (i.e. the list of target users that can be impersonated), and <code>ALL</code> or <code>root</code> should not be used.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">It is common that the command to be executed does not require superuser rights (editing a file whose the owner is not root, sending a signal to an unprivileged process,etc.). In order to limit any attempt of privilege escalation through a command, it is better to apply normal user rights.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Make sure that no user spec in sudoers has a runas spec that includes root or ALL</span> <span class="label label-default">oval:ssg-test_no_root_or_ALL_in_runas_spec:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-root_or_ALL_in_runas_spec:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/sudoers(\.d/.*)?$</td><td>^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*\([\w\s]*\b(root|ALL)\b[\w\s]*\)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">make sure that all user specs in sudoers feature a runas spec</span> <span class="label label-default">oval:ssg-test_no_user_spec_rules:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>Defaults env_keep = "</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" id="rule-detail-idm45662296023216"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDxccdf_org.ssgproject.content_rule_sudo_remove_nopasswd mediumCCE-82197-5 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_remove_nopasswd:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:25+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82197-5">CCE-82197-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R59)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002038</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00156</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00157</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00158</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010380</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230271r627750_rule</a>, <a href="">SRG-OS-000373-VMM-001470</a>, <a href="">SRG-OS-000373-VMM-001480</a>, <a href="">SRG-OS-000373-VMM-001490</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>NOPASSWD</code> tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the <code>NOPASSWD</code> tag does not exist in <code>/etc/sudoers</code> configuration file or any sudo configuration snippets in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Without re-authentication, users may access resources or perform tasks for which they do not have authorization. <br><br> When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">NOPASSWD does not exist /etc/sudoers</span> <span class="label label-default">oval:ssg-test_nopasswd_etc_sudoers:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_nopasswd_etc_sudoers:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>^(?!#).*[\s]+NOPASSWD[\s]*\:.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">NOPASSWD does not exist in /etc/sudoers.d</span> <span class="label label-default">oval:ssg-test_nopasswd_etc_sudoers_d:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_nopasswd_etc_sudoers_d:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers.d</td><td>^.*$</td><td>^(?!#).*[\s]+NOPASSWD[\s]*\:.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" id="rule-detail-idm45662295864656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /var/log/audit Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log_audit lowCCE-80854-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure /var/log/audit Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_var_log_audit</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_var_log_audit:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:25+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80854-3">CCE-80854-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.12</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001849</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000341-GPOS-00132</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010542</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230294r627750_rule</a>, <a href="">SRG-OS-000341-VMM-001220</a></p></td></tr><tr><td>Description</td><td><div class="description">Audit logs are stored in the <code>/var/log/audit</code> directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Placing <code>/var/log/audit</code> in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/var/log/audit on own partition</span> <span class="label label-default">oval:ssg-testvar_log_audit_partition:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/log/audit</td><td>/dev/mapper/rhel-var_log_audit</td><td>c283ed62-570e-470f-9887-a451fb69ee7d</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">129704</td><td role="num">7555</td><td role="num">122149</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_boot" id="rule-detail-idm45662295860656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /boot Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_boot mediumCCE-83336-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure /boot Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_boot</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_boot:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:25+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83336-8">CCE-83336-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">It is recommended that the <code>/boot</code> directory resides on a separate partition. This makes it easier to apply restrictions e.g. through the <code>noexec</code> mount option. Eventually, the <code>/boot</code> partition can be configured not to be mounted automatically with the <code>noauto</code> mount option.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/boot</code> partition contains the kernel and bootloader files. Access to this partition should be restricted.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/boot on own partition</span> <span class="label label-default">oval:ssg-testboot_partition:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/boot</td><td>/dev/vda1</td><td>9bdb2e77-09b5-4440-bb45-2979a88c80fd</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">129704</td><td role="num">59981</td><td role="num">69723</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_opt" id="rule-detail-idm45662295856688"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /opt Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_opt mediumCCE-83340-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure /opt Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_opt</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_opt:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:26+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83340-0">CCE-83340-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">It is recommended that the <code>/opt</code> directory resides on a separate partition.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/opt</code> partition contains additional software, usually installed outside the packaging system. Putting this directory on a separate partition makes it easier to apply restrictions e.g. through the <code>nosuid</code> mount option.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/opt on own partition</span> <span class="label label-default">oval:ssg-testopt_partition:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/opt</td><td>/dev/mapper/rhel-opt</td><td>77ae06e9-6dd5-4e0a-b037-f3613a9d7b52</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10073</td><td role="num">249511</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_tmp" id="rule-detail-idm45662295850032"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_tmp lowCCE-80851-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure /tmp Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_tmp</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_tmp:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:26+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80851-9">CCE-80851-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.2</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010543</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230295r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>/tmp</code> directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/tmp</code> partition is used as temporary storage by many programs. Placing <code>/tmp</code> in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/tmp on own partition</span> <span class="label label-default">oval:ssg-testtmp_partition:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/tmp</td><td>/dev/mapper/rhel-tmp</td><td>7046abce-80d6-421c-bff3-99e32bc334a2</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10119</td><td role="num">249465</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_srv" id="rule-detail-idm45662295846064"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /srv Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_srv unknownCCE-83387-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure /srv Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_srv</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_srv:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:26+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83387-1">CCE-83387-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">If a file server (FTP, TFTP...) is hosted locally, create a separate partition for <code>/srv</code> at installation time (or migrate it later using LVM). If <code>/srv</code> will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Srv deserves files for local network file server such as FTP. Ensuring that <code>/srv</code> is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/srv on own partition</span> <span class="label label-default">oval:ssg-testsrv_partition:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/srv</td><td>/dev/mapper/rhel-srv</td><td>77751d51-5128-44d4-b904-41179eafa70e</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10073</td><td role="num">249511</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_usr" id="rule-detail-idm45662295842096"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /usr Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_usr mediumCCE-83343-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure /usr Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_usr</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_usr:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:26+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83343-4">CCE-83343-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">It is recommended that the <code>/usr</code> directory resides on a separate partition.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/usr</code> partition contains system software, utilities and files. Putting it on a separate partition allows limiting its size and applying restrictions through mount options.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/usr on own partition</span> <span class="label label-default">oval:ssg-testusr_partition:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/usr</td><td>/dev/mapper/rhel-usr</td><td>e1e98a2c-ead1-477e-bdd7-d69f4a5b6e84</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">1277440</td><td role="num">1139330</td><td role="num">138110</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_var" id="rule-detail-idm45662295838128"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /var Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var lowCCE-80852-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure /var Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_var</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_var:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:27+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80852-7">CCE-80852-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.6</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010540</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230292r627750_rule</a>, <a href="">SRG-OS-000341-VMM-001220</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>/var</code> directory is used by daemons and other system services to store frequently-changing data. Ensure that <code>/var</code> has its own partition or logical volume at installation time, or migrate it using LVM.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Ensuring that <code>/var</code> is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the <code>/var</code> directory to contain world-writable directories installed by other software packages.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/var on own partition</span> <span class="label label-default">oval:ssg-testvar_partition:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var</td><td>/dev/mapper/rhel-var</td><td>3b9bf26c-12ea-4f64-abc1-3fac0b5d2263</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">783872</td><td role="num">64669</td><td role="num">719203</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_var_tmp" id="rule-detail-idm45662295834160"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /var/tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_tmp lowCCE-82730-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure /var/tmp Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_var_tmp</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_var_tmp:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:27+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82730-3">CCE-82730-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>/var/tmp</code> directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/var/tmp</code> partition is used as temporary storage by many programs. Placing <code>/var/tmp</code> in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/var/tmp on own partition</span> <span class="label label-default">oval:ssg-testvar_tmp_partition:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/tmp</td><td>/dev/mapper/rhel-var_tmp</td><td>5cdb94cd-dc68-4f07-aca4-c8f069f590f1</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10098</td><td role="num">249486</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_var_log" id="rule-detail-idm45662295830192"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /var/log Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log mediumCCE-80853-5 </div><div class="panel-heading"><h3 class="panel-title">Ensure /var/log Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_var_log</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_var_log:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:27+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80853-5">CCE-80853-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R47)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.11</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010541</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230293r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">System logs are stored in the <code>/var/log</code> directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Placing <code>/var/log</code> in its own partition enables better separation between log files and other files in <code>/var/</code>.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/var/log on own partition</span> <span class="label label-default">oval:ssg-testvar_log_partition:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/log</td><td>/dev/mapper/rhel-var_log</td><td>54ebd97a-fc48-4ff8-9e66-637df9cbc902</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">12683</td><td role="num">246901</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_home" id="rule-detail-idm45662295826224"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /home Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_home lowCCE-81044-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure /home Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_home</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_home:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81044-0">CCE-81044-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.13</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001208</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010800</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230328r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">If user home directories will be stored locally, create a separate partition for <code>/home</code> at installation time (or migrate it later using LVM). If <code>/home</code> will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Ensuring that <code>/home</code> is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/home on own partition</span> <span class="label label-default">oval:ssg-testhome_partition:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/home</td><td>/dev/mapper/rhel-home</td><td>249c85b7-b274-4df5-8ef4-8790ff211f6a</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">13526</td><td role="num">246058</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed" id="rule-detail-idm45662295822256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install dnf-automatic Packagexccdf_org.ssgproject.content_rule_package_dnf-automatic_installed mediumCCE-82985-3 </div><div class="panel-heading"><h3 class="panel-title">Install dnf-automatic Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_dnf-automatic_installed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82985-3">CCE-82985-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R8)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>dnf-automatic</code> package can be installed with the following command: <pre> $ sudo yum install dnf-automatic</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><code>dnf-automatic</code> is an alternative command line interface (CLI) to <code>dnf upgrade</code> suitable for automatic, regular execution.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package dnf-automatic is installed</span> <span class="label label-default">oval:ssg-test_package_dnf-automatic_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>dnf-automatic</td><td>noarch</td><td>(none)</td><td>11.el8</td><td>4.4.2</td><td>0:4.4.2-11.el8</td><td>199e2f91fd431d51</td><td>dnf-automatic-0:4.4.2-11.el8.noarch</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" id="rule-detail-idm45662295818256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Red Hat GPG Key Installedxccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed highCCE-80795-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure Red Hat GPG Key Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_redhat_gpgkey_installed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80795-8">CCE-80795-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R15)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.2.3</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-6.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a></p></td></tr><tr><td>Description</td><td><div class="description">To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run: <pre>$ sudo subscription-manager register</pre> If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in <code>/media/cdrom</code>, use the following command as the root user to import it into the keyring: <pre>$ sudo rpm --import /media/cdrom/RPM-GPG-KEY</pre> Alternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command: <pre>sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">installed OS part of unix family</span> <span class="label label-default">oval:ssg-test_rhel8_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span> <span class="label label-default">oval:ssg-test_rhel8_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 8</span> <span class="label label-default">oval:ssg-test_rhel8:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>0.6.el8</td><td>8.5</td><td>0:8.5-0.6.el8</td><td>199e2f91fd431d51</td><td>redhat-release-0:8.5-0.6.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 8</span> <span class="label label-default">oval:ssg-test_rhel8:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>0.6.el8</td><td>8.5</td><td>0:8.5-0.6.el8</td><td>199e2f91fd431d51</td><td>redhat-release-0:8.5-0.6.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 8</span> <span class="label label-default">oval:ssg-test_rhevh_rhel8_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel8_version:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 8</span> <span class="label label-default">oval:ssg-test_rhevh_rhel8_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel8_version:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span> <span class="label label-default">oval:ssg-test_rhel8_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span> <span class="label label-default">oval:ssg-test_rhel8_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 8</span> <span class="label label-default">oval:ssg-test_rhel8:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>0.6.el8</td><td>8.5</td><td>0:8.5-0.6.el8</td><td>199e2f91fd431d51</td><td>redhat-release-0:8.5-0.6.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 8</span> <span class="label label-default">oval:ssg-test_rhel8:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>0.6.el8</td><td>8.5</td><td>0:8.5-0.6.el8</td><td>199e2f91fd431d51</td><td>redhat-release-0:8.5-0.6.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 8</span> <span class="label label-default">oval:ssg-test_rhevh_rhel8_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel8_version:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 8</span> <span class="label label-default">oval:ssg-test_rhevh_rhel8_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel8_version:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Red Hat release key package is installed</span> <span class="label label-default">oval:ssg-test_package_gpgkey-fd431d51-4ae0493b_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>5b32db75</td><td>d4082792</td><td>0:d4082792-5b32db75</td><td>0</td><td>gpg-pubkey-0:d4082792-5b32db75.(none)</td></tr><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>4ae0493b</td><td>fd431d51</td><td>0:fd431d51-4ae0493b</td><td>0</td><td>gpg-pubkey-0:fd431d51-4ae0493b.(none)</td></tr></tbody></table><h4><span class="label label-primary">Red Hat auxiliary key package is installed</span> <span class="label label-default">oval:ssg-test_package_gpgkey-d4082792-5b32db75_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>5b32db75</td><td>d4082792</td><td>0:d4082792-5b32db75</td><td>0</td><td>gpg-pubkey-0:d4082792-5b32db75.(none)</td></tr><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>4ae0493b</td><td>fd431d51</td><td>0:fd431d51-4ae0493b</td><td>0</td><td>gpg-pubkey-0:fd431d51-4ae0493b.(none)</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Check os-release ID</span> <span class="label label-default">oval:ssg-test_centos8_name:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release ID">oval:ssg-obj_name_centos8:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^ID="(\w+)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check os-release ID</span> <span class="label label-default">oval:ssg-test_centos8_name:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>ID="rhel"</td></tr></tbody></table><h4><span class="label label-primary">Check os-release VERSION_ID</span> <span class="label label-default">oval:ssg-test_centos8_version:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release VERSION_ID">oval:ssg-obj_version_centos8:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^VERSION_ID="(\d)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check os-release VERSION_ID</span> <span class="label label-default">oval:ssg-test_centos8_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release VERSION_ID">oval:ssg-obj_version_centos8:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^VERSION_ID="(\d)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Check os-release ID</span> <span class="label label-default">oval:ssg-test_centos8_name:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release ID">oval:ssg-obj_name_centos8:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^ID="(\w+)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check os-release ID</span> <span class="label label-default">oval:ssg-test_centos8_name:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>ID="rhel"</td></tr></tbody></table><h4><span class="label label-primary">Check os-release VERSION_ID</span> <span class="label label-default">oval:ssg-test_centos8_version:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release VERSION_ID">oval:ssg-obj_version_centos8:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^VERSION_ID="(\d)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check os-release VERSION_ID</span> <span class="label label-default">oval:ssg-test_centos8_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release VERSION_ID">oval:ssg-obj_version_centos8:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^VERSION_ID="(\d)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">CentOS8 key package is installed</span> <span class="label label-default">oval:ssg-test_package_gpgkey-8483c65d-5ccc5b19_installed:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>5b32db75</td><td>d4082792</td><td>0:d4082792-5b32db75</td><td>0</td><td>gpg-pubkey-0:d4082792-5b32db75.(none)</td></tr><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>4ae0493b</td><td>fd431d51</td><td>0:fd431d51-4ae0493b</td><td>0</td><td>gpg-pubkey-0:fd431d51-4ae0493b.(none)</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled" id="rule-detail-idm45662295814256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable dnf-automatic Timerxccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled mediumCCE-82360-9 </div><div class="panel-heading"><h3 class="panel-title">Enable dnf-automatic Timer</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-timer_dnf-automatic_enabled:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82360-9">CCE-82360-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(c)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td>Description</td><td><div class="description"> The <code>dnf-automatic</code> timer can be enabled with the following command: <pre>$ sudo systemctl enable dnf-automatic.timer</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>dnf-automatic</code> is an alternative command line interface (CLI) to <code>dnf upgrade</code> with specific facilities to make it suitable to be executed automatically and regularly from systemd timers, cron jobs and similar. The tool is controlled by <code>dnf-automatic.timer</code> SystemD timer.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package dnf-automatic is installed</span> <span class="label label-default">oval:ssg-test_package_dnf-automatic_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>dnf-automatic</td><td>noarch</td><td>(none)</td><td>11.el8</td><td>4.4.2</td><td>0:4.4.2-11.el8</td><td>199e2f91fd431d51</td><td>dnf-automatic-0:4.4.2-11.el8.noarch</td></tr></tbody></table><h4><span class="label label-primary">Test that the dnf-automatic timer is running</span> <span class="label label-default">oval:ssg-test_timer_running_dnf-automatic:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>dnf-automatic.timer</td><td>ActiveState</td><td>active</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span> <span class="label label-default">oval:ssg-test_multi_user_wants_dnf-automatic:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var-tmp.mount</td><td>var.mount</td><td>sysinit.target</td><td>plymouth-read-write.service</td><td>lvm2-monitor.service</td><td>cryptsetup.target</td><td>systemd-hwdb-update.service</td><td>sys-kernel-debug.mount</td><td>local-fs.target</td><td>-.mount</td><td>srv.mount</td><td>opt.mount</td><td>home.mount</td><td>var-log.mount</td><td>tmp.mount</td><td>var-log-audit.mount</td><td>usr.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>ostree-remount.service</td><td>lvm2-lvmpolld.socket</td><td>systemd-journal-flush.service</td><td>nis-domainname.service</td><td>iscsi-onboot.service</td><td>ldconfig.service</td><td>systemd-udevd.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-utmp.service</td><td>systemd-random-seed.service</td><td>plymouth-start.service</td><td>dev-mqueue.mount</td><td>systemd-tmpfiles-setup.service</td><td>systemd-update-done.service</td><td>systemd-sysctl.service</td><td>systemd-modules-load.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-binfmt.service</td><td>selinux-autorelabel-mark.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>dev-hugepages.mount</td><td>systemd-udev-trigger.service</td><td>systemd-machine-id-commit.service</td><td>systemd-sysusers.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>sys-kernel-config.mount</td><td>loadmodules.service</td><td>swap.target</td><td>dev-mapper-rhel\x2dswap.swap</td><td>kmod-static-nodes.service</td><td>multipathd.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-journald.service</td><td>dracut-shutdown.service</td><td>paths.target</td><td>timers.target</td><td>dnf-makecache.timer</td><td>dnf-automatic.timer</td><td>mlocate-updatedb.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-journald.socket</td><td>avahi-daemon.socket</td><td>systemd-journald-dev-log.socket</td><td>dm-event.socket</td><td>libvirtd-ro.socket</td><td>dbus.socket</td><td>libvirtd.socket</td><td>virtlogd.socket</td><td>virtlockd.socket</td><td>systemd-coredump.socket</td><td>iscsiuio.socket</td><td>systemd-udevd-kernel.socket</td><td>multipathd.socket</td><td>systemd-initctl.socket</td><td>iscsid.socket</td><td>cups.socket</td><td>systemd-udevd-control.socket</td><td>rpcbind.socket</td><td>sssd-kcm.socket</td><td>microcode.service</td><td>mdmonitor.service</td><td>smartd.service</td><td>sssd.service</td><td>plymouth-quit-wait.service</td><td>auditd.service</td><td>nfs-client.target</td><td>auth-rpcgss-module.service</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>getty@tty1.service</td><td>vdo.service</td><td>plymouth-quit.service</td><td>mcelog.service</td><td>systemd-ask-password-wall.path</td><td>ksm.service</td><td>tuned.service</td><td>rpcbind.service</td><td>rsyslog.service</td><td>ModemManager.service</td><td>chronyd.service</td><td>systemd-logind.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>NetworkManager.service</td><td>libstoragemgmt.service</td><td>vmtoolsd.service</td><td>sshd.service</td><td>ksmtuned.service</td><td>firewalld.service</td><td>irqbalance.service</td><td>cups.service</td><td>systemd-user-sessions.service</td><td>rhsmcertd.service</td><td>avahi-daemon.service</td><td>dbus.service</td><td>kdump.service</td><td>libvirtd.service</td><td>cups.path</td><td>remote-fs.target</td><td>iscsi.service</td><td>var-lib-machines.mount</td><td>atd.service</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_security_patches_up_to_date" id="rule-detail-idm45662295810256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Software Patches Installedxccdf_org.ssgproject.content_rule_security_patches_up_to_date highCCE-80865-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure Software Patches Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_security_patches_up_to_date</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Multi-check rule</td><td>yes</td></tr><tr><td>OVAL Definition ID</td><td></td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80865-9">CCE-80865-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R08)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.9</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">20</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO12.01</a>, <a href="https://www.isaca.org/resources/cobit">APO12.02</a>, <a href="https://www.isaca.org/resources/cobit">APO12.03</a>, <a href="https://www.isaca.org/resources/cobit">APO12.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001227</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.18.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.RA-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-12</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-6.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010010</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230222r627750_rule</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description"> If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: <pre>$ sudo yum update</pre> If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using <code>rpm</code>. <br><br> NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">None of the check-content-ref elements was resolvable.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only" id="rule-detail-idm45662295805600"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure dnf-automatic to Install Only Security Updatesxccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only lowCCE-82267-6 </div><div class="panel-heading"><h3 class="panel-title">Configure dnf-automatic to Install Only Security Updates</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-dnf-automatic_security_updates_only:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82267-6">CCE-82267-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(c)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure <code>dnf-automatic</code> to install only security updates automatically, set <code>upgrade_type</code> to <code>security</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">By default, <code>dnf-automatic</code> installs all available updates. Reducing the amount of updated packages only to updates that were issued as a part of a security advisory increases the system stability.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of upgrade_type setting in the /etc/dnf/automatic.conf file</span> <span class="label label-default">oval:ssg-test_dnf-automatic_security_updates_only:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/dnf/automatic.conf</td><td>[commands] # What kind of upgrade to perform: # default = all available upgrades # security = only the security upgrades upgrade_type = security</td></tr></tbody></table><h4><span class="label label-primary">The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_security_updates_only</span> <span class="label label-default">oval:ssg-test_dnf-automatic_security_updates_only_config_file_exists:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/etc/dnf/automatic.conf</td><td>regular</td><td>0</td><td>0</td><td>2719</td><td><code>rw-r--r-- </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" id="rule-detail-idm45662295801600"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure gpgcheck Enabled for Local Packagesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages highCCE-80791-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled for Local Packages</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_gpgcheck_local_packages:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80791-7">CCE-80791-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R15)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12(10)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010371</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230265r627750_rule</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a></p></td></tr><tr><td>Description</td><td><div class="description"><code>yum</code> should be configured to verify the signature(s) of local packages prior to installation. To configure <code>yum</code> to verify signatures of local packages, set the <code>localpkg_gpgcheck</code> to <code>1</code> in <code>/etc/yum.conf</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor. <br><br> Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check value of localpkg_gpgcheck in /etc/yum.conf</span> <span class="label label-default">oval:ssg-test_yum_ensure_gpgcheck_local_packages:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/yum.conf</td><td>localpkg_gpgcheck = 1 </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="rule-detail-idm45662295794896"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure dnf-automatic to Install Available Updates Automaticallyxccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates mediumCCE-82494-6 </div><div class="panel-heading"><h3 class="panel-title">Configure dnf-automatic to Install Available Updates Automatically</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-dnf-automatic_apply_updates:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82494-6">CCE-82494-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R8)</a>, <a href="">0940</a>, <a href="">1144</a>, <a href="">1467</a>, <a href="">1472</a>, <a href="">1483</a>, <a href="">1493</a>, <a href="">1494</a>, <a href="">1495</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(c)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td>Description</td><td><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. The automated installation of updates ensures that recent security patches are applied in a timely manner.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of apply_updates setting in the /etc/dnf/automatic.conf file</span> <span class="label label-default">oval:ssg-test_dnf-automatic_apply_updates:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/dnf/automatic.conf</td><td>[commands] # What kind of upgrade to perform: # default = all available upgrades # security = only the security upgrades upgrade_type = security random_sleep = 0 # Maximum time in seconds to wait until the system is on-line and able to # connect to remote repositories. network_online_timeout = 60 # To just receive updates use dnf-automatic-notifyonly.timer # Whether updates should be downloaded when they are available, by # dnf-automatic.timer. notifyonly.timer, download.timer and # install.timer override this setting. download_updates = yes # Whether updates should be applied when they are available, by # dnf-automatic.timer. notifyonly.timer, download.timer and # install.timer override this setting. apply_updates = yes</td></tr></tbody></table><h4><span class="label label-primary">The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_apply_updates</span> <span class="label label-default">oval:ssg-test_dnf-automatic_apply_updates_config_file_exists:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/etc/dnf/automatic.conf</td><td>regular</td><td>0</td><td>0</td><td>2719</td><td><code>rw-r--r-- </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" id="rule-detail-idm45662295788192"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure gpgcheck Enabled for All yum Package Repositoriesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled highCCE-80792-5 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled for All yum Package Repositories</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_gpgcheck_never_disabled:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80792-5">CCE-80792-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R15)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12(10)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(b)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-6.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a></p></td></tr><tr><td>Description</td><td><div class="description">To ensure signature checking is not disabled for any repos, remove any lines from files in <code>/etc/yum.repos.d</code> of the form: <pre>gpgcheck=0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)."</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check for existence of gpgcheck=0 in /etc/yum.repos.d/ files</span> <span class="label label-default">oval:ssg-test_ensure_gpgcheck_never_disabled:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_ensure_gpgcheck_never_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/yum.repos.d</td><td>.*</td><td>^\s*gpgcheck\s*=\s*0\s*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" id="rule-detail-idm45662295784192"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure gpgcheck Enabled In Main yum Configurationxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated highCCE-80790-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled In Main yum Configuration</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_gpgcheck_globally_activated:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80790-9">CCE-80790-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R15)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.2.4</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12(10)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(b)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-6.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010370</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230264r627750_rule</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>gpgcheck</code> option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in <code>/etc/yum.conf</code> in the <code>[main]</code> section: <pre>gpgcheck=1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. <br> Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. <br>Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check value of gpgcheck in /etc/yum.conf</span> <span class="label label-default">oval:ssg-test_ensure_gpgcheck_globally_activated:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/yum.conf</td><td>gpgcheck=1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_prefer_64bit_os" id="rule-detail-idm45662296196112"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Prefer to use a 64-bit Operating System when supportedxccdf_org.ssgproject.content_rule_prefer_64bit_os mediumCCE-83694-0 </div><div class="panel-heading"><h3 class="panel-title">Prefer to use a 64-bit Operating System when supported</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_prefer_64bit_os</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-prefer_64bit_os:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:24+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83694-0">CCE-83694-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R10)</a></p></td></tr><tr><td>Description</td><td><div class="description">Prefer installation of 64-bit operating systems when the CPU supports it.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Use of a 64-bit operating system offers a few advantages, like a larger address space range for Address Space Layout Randomization (ASLR) and systematic presence of No eXecute and Execute Disable (NX/XD) protection bits.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> There is no remediation besides installing a 64-bit operating system.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check if kernel nvr arch is 64-bit</span> <span class="label label-default">oval:ssg-test_proc_sys_kernel_osrelease_64_bit:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/proc/sys/kernel/osrelease</td><td>4.18.0-314.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Check for CPU flag lm</span> <span class="label label-default">oval:ssg-test_proc_cpuinfo_64_bit:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/proc/cpuinfo</td><td>flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq vmx ssse3 fma cx16 pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves arat umip md_clear arch_capabilities</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" id="rule-detail-idm45662295741104"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set PAM's Password Hashing Algorithmxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth mediumCCE-80893-1 </div><div class="panel-heading"><h3 class="panel-title">Set PAM's Password Hashing Algorithm</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-set_password_hashing_algorithm_systemauth:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80893-1">CCE-80893-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R32)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.4.4</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.2</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000196</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="">0418</a>, <a href="">1055</a>, <a href="">1402</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000073-GPOS-00041</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010160</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230237r627750_rule</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description">The PAM system service can be configured to only store encrypted representations of passwords. In <code>/etc/pam.d/system-auth</code>, the <code>password</code> section of the file controls which PAM modules execute during a password change. Set the <code>pam_unix.so</code> module in the <code>password</code> section to include the argument <code>sha512</code>, as shown below: <br> <pre>password sufficient pam_unix.so sha512 <i>other arguments...</i></pre> <br> This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text. <br><br> This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the <code>crypt_style</code> configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check /etc/pam.d/system-auth for correct settings</span> <span class="label label-default">oval:ssg-test_pam_unix_sha512:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2 rounds=65536</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" id="rule-detail-idm45662295726256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure PAM Enforces Password Requirements - Minimum Special Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit mediumCCE-80663-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Enforces Password Requirements - Minimum Special Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_ocredit:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80663-8">CCE-80663-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001619</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000266-GPOS-00101</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020280</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230375r627750_rule</a>, <a href="">SRG-OS-000266-VMM-000940</a></p></td></tr><tr><td>Description</td><td><div class="description">The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the <code>ocredit</code> setting in <code>/etc/security/pwquality.conf</code> to equal <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_ocredit">-1</abbr> to require use of a special character in passwords.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. <br><br> Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> password requisite pam_pwquality.so try_first_pass local_users_only</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality_ocredit:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/security/pwquality.conf</td><td>ocredit = -1 </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" id="rule-detail-idm45662295716016"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure PAM Enforces Password Requirements - Minimum Lowercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit mediumCCE-80655-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_lcredit:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80655-4">CCE-80655-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000193</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000070-GPOS-00038</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020120</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230358r627750_rule</a>, <a href="">SRG-OS-000070-VMM-000370</a></p></td></tr><tr><td>Description</td><td><div class="description">The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the <code>lcredit</code> setting in <code>/etc/security/pwquality.conf</code> to require the use of a lowercase character in passwords.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. <br><br> Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> password requisite pam_pwquality.so try_first_pass local_users_only</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality_lcredit:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/security/pwquality.conf</td><td>lcredit = -1 </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" id="rule-detail-idm45662295711184"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure PAM Enforces Password Requirements - Minimum Digit Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit mediumCCE-80653-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Enforces Password Requirements - Minimum Digit Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_dcredit:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80653-9">CCE-80653-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000194</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000071-GPOS-00039</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020130</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230359r627750_rule</a>, <a href="">SRG-OS-000071-VMM-000380</a></p></td></tr><tr><td>Description</td><td><div class="description">The pam_pwquality module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the <code>dcredit</code> setting in <code>/etc/security/pwquality.conf</code> to require the use of a digit in passwords.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. <br><br> Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> password requisite pam_pwquality.so try_first_pass local_users_only</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality_dcredit:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/security/pwquality.conf</td><td>dcredit = -1 </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" id="rule-detail-idm45662295706352"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure PAM Enforces Password Requirements - Minimum Uppercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit mediumCCE-80665-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_ucredit:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80665-3">CCE-80665-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000192</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000069-GPOS-00037</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020110</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230357r627750_rule</a>, <a href="">SRG-OS-000069-VMM-000360</a></p></td></tr><tr><td>Description</td><td><div class="description">The pam_pwquality module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the <code>ucredit</code> setting in <code>/etc/security/pwquality.conf</code> to require the use of an uppercase character in passwords.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. <br><br> Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> password requisite pam_pwquality.so try_first_pass local_users_only</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality_ucredit:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/security/pwquality.conf</td><td>ucredit = -1 </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" id="rule-detail-idm45662295701520"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure PAM Enforces Password Requirements - Minimum Lengthxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen mediumCCE-80656-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Enforces Password Requirements - Minimum Length</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_minlen:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80656-2">CCE-80656-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.4.1</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000205</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000078-GPOS-00046</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020230</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230369r627750_rule</a>, <a href="">SRG-OS-000072-VMM-000390</a>, <a href="">SRG-OS-000078-VMM-000450</a></p></td></tr><tr><td>Description</td><td><div class="description">The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_minlen">18</abbr></code> after pam_pwquality to set minimum password length requirements.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. <br> Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> password requisite pam_pwquality.so try_first_pass local_users_only</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality_minlen:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/security/pwquality.conf</td><td>minlen = 18 </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" id="rule-detail-idm45662295693984"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Interval For Counting Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval mediumCCE-80669-5 </div><div class="panel-heading"><h3 class="panel-title">Set Interval For Counting Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_passwords_pam_faillock_interval:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80669-5">CCE-80669-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000044</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002236</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002237</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002238</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000329-GPOS-00128</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020012</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230334r627750_rule</a>, <a href="">SRG-OS-000021-VMM-000050</a></p></td></tr><tr><td>Description</td><td><div class="description">Utilizing <code>pam_faillock.so</code>, the <code>fail_interval</code> directive configures the system to lock out an account after a number of incorrect login attempts within a specified time period. Modify the content of both <code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows: <br><br> <ul><li>Add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: <pre>auth required pam_faillock.so preauth silent deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">900</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre> </li><li>Add the following line immediately <code>after</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: <pre>auth [default=die] pam_faillock.so authfail deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">900</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr> </pre> </li><li>Add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>ACCOUNT</code> section: <pre>account required pam_faillock.so</pre> </li></ul></div></td></tr><tr><td>Rationale</td><td><div class="rationale">By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check maximum preauth fail_interval allowed in /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_system-auth:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr></tbody></table><h4><span class="label label-primary">check maximum authfail fail_interval allowed in /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_authfail_fail_interval_system-auth:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr></tbody></table><h4><span class="label label-primary">check maximum authfail fail_interval allowed in /etc/pam.d/password-auth</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_password-auth:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr></tbody></table><h4><span class="label label-primary">check maximum preauth fail_interval allowed in /etc/pam.d/password-auth</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_preauth_fail_interval_password-auth:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr></tbody></table><h4><span class="label label-primary">check if pam_faillock.so is required in account section in /etc/pam.d/password-auth</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_account_requires_password-auth:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td> account required pam_faillock.so</td></tr></tbody></table><h4><span class="label label-primary">check if pam_faillock.so is required in account section in /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_account_requires_system-auth:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> account required pam_faillock.so</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" id="rule-detail-idm45662295689088"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Limit Password Reusexccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember mediumCCE-80666-1 </div><div class="panel-heading"><h3 class="panel-title">Limit Password Reuse</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_unix_remember:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80666-1">CCE-80666-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.4.3</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000200</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(e)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000077-GPOS-00045</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020220</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230368r627750_rule</a>, <a href="">SRG-OS-000077-VMM-000440</a></p></td></tr><tr><td>Description</td><td><div class="description">Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_unix</code> or <code>pam_pwhistory</code> PAM modules. <br><br> In the file <code>/etc/pam.d/system-auth</code>, append <code>remember=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_remember">2</abbr></code> to the line which refers to the <code>pam_unix.so</code> or <code>pam_pwhistory.so</code>module, as shown below: <ul><li>for the <code>pam_unix.so</code> case: <pre>password sufficient pam_unix.so <i>...existing_options...</i> remember=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_remember">2</abbr></pre> </li><li>for the <code>pam_pwhistory.so</code> case: <pre>password requisite pam_pwhistory.so <i>...existing_options...</i> remember=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_remember">2</abbr></pre> </li></ul> The DoD STIG requirement is 5 passwords.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Test if remember attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_accounts_password_pam_unix_remember:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2 rounds=65536</td></tr></tbody></table><h4><span class="label label-primary">Test if remember attribute of pam_pwhistory.so is set correctly in /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_accounts_password_pam_pwhistory_remember:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_password_pam_pwhistory_remember:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so.*remember=([0-9]*).*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" id="rule-detail-idm45662295684240"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Lockout Time for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time mediumCCE-80670-3 </div><div class="panel-heading"><h3 class="panel-title">Set Lockout Time for Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80670-3">CCE-80670-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.4.2</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.3</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000044</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002236</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002237</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002238</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000329-GPOS-00128</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020014</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230336r627750_rule</a>, <a href="">SRG-OS-000329-VMM-001180</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using <code>pam_faillock.so</code>, modify the content of both <code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows: <br><br> <ul><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: <pre>auth required pam_faillock.so preauth silent deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">900</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>after</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: <pre>auth [default=die] pam_faillock.so authfail deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">900</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>ACCOUNT</code> section: <pre>account required pam_faillock.so</pre></li></ul> If <code>unlock_time</code> is set to <code>0</code>, manual intervention by an administrator is required to unlock a user.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check if external variable unlock time is never</span> <span class="label label-default">oval:ssg-test_var_faillock_unlock_time_is_never:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_accounts_passwords_pam_faillock_unlock_time:var:1</td><td>900</td></tr></tbody></table><h4><span class="label label-primary">Check if unlock time is never</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_is_never:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr><tr><td>/etc/pam.d/system-auth</td><td>auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr><tr><td>/etc/pam.d/system-auth</td><td>auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr><tr><td>/etc/pam.d/password-auth</td><td>auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr></tbody></table><h4><span class="label label-primary">Check if external variable unlock time is never</span> <span class="label label-default">oval:ssg-test_var_faillock_unlock_time_is_never:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_accounts_passwords_pam_faillock_unlock_time:var:1</td><td>900</td></tr></tbody></table><h4><span class="label label-primary">Check if unlock time is never, or greater than or equal external variable</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_greater_or_equal_ext_var:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr><tr><td>/etc/pam.d/system-auth</td><td>auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr><tr><td>/etc/pam.d/system-auth</td><td>auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr><tr><td>/etc/pam.d/password-auth</td><td>auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" id="rule-detail-idm45662295679328"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Deny For Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny mediumCCE-80667-9 </div><div class="panel-heading"><h3 class="panel-title">Set Deny For Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_passwords_pam_faillock_deny:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80667-9">CCE-80667-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.4.2</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.3</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000044</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002236</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002237</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002238</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.6</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000329-GPOS-00128</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020010</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230332r627750_rule</a>, <a href="">SRG-OS-000021-VMM-000050</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>, modify the content of both <code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows: <br><br> <ul><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: <pre>auth required pam_faillock.so preauth silent deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">900</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>after</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: <pre>auth [default=die] pam_faillock.so authfail deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">900</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>ACCOUNT</code> section: <pre>account required pam_faillock.so</pre></li></ul></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check pam_faillock.so preauth silent present, with correct deny value, and is followed by pam_unix.</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_system-auth:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root auth sufficient pam_unix.so nullok try_first_pass </td></tr></tbody></table><h4><span class="label label-primary">Check if pam_faillock.so is called in account phase before pam_unix</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_account_phase_system-auth:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> account required pam_faillock.so account required pam_unix.so </td></tr></tbody></table><h4><span class="label label-primary">Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth, has correct deny value, and is followed by pam_unix</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_password-auth:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td> auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root auth sufficient pam_unix.so nullok try_first_pass </td></tr></tbody></table><h4><span class="label label-primary">Check if pam_faillock_so is called in account phase before pam_unix.</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_account_phase_password-auth:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td> account required pam_faillock.so account required pam_unix.so </td></tr></tbody></table><h4><span class="label label-primary">Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_numeric_default_check_system-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Is pam_faillock not skipped?">oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_system-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin</td><td>/etc/pam.d/system-auth</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check control values of pam_unix, that it is followed by pam_faillock.so authfail and deny value of pam_faillock.so authfail</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_system-auth:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3</td></tr></tbody></table><h4><span class="label label-primary">Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_numeric_default_check_password-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Is pam_faillock not skipped?">oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_password-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin</td><td>/etc/pam.d/password-auth</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check pam_faillock authfail is present after pam_unix, check pam_unix has proper control values, and authfail deny value is correct.</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_password-auth:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td> auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" id="rule-detail-idm45662295674464"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure the root Account for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root mediumCCE-80668-7 </div><div class="panel-heading"><h3 class="panel-title">Configure the root Account for Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_passwords_pam_faillock_deny_root:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80668-7">CCE-80668-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002238</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000044</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000329-GPOS-00128</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020022</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230344r646874_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure the system to lock out the <code>root</code> account after a number of incorrect login attempts using <code>pam_faillock.so</code>, modify the content of both <code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows: <br><br> <ul><li>Modify the following line in the <code>AUTH</code> section to add <code>even_deny_root</code>: <pre>auth required pam_faillock.so preauth silent <b>even_deny_root</b> deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">900</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li>Modify the following line in the <code>AUTH</code> section to add <code>even_deny_root</code>: <pre>auth [default=die] pam_faillock.so authfail <b>even_deny_root</b> deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">900</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre> </li></ul></div></td></tr><tr><td>Rationale</td><td><div class="rationale">By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check pam_faillock.so preauth silent present in /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_pam_faillock_preauth_silent_system-auth:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root auth sufficient pam_unix.so nullok try_first_pass </td></tr></tbody></table><h4><span class="label label-primary">Check maximum failed login attempts allowed in /etc/pam.d/system-auth (authfail)</span> <span class="label label-default">oval:ssg-test_pam_faillock_authfail_deny_root_system-auth:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root </td></tr></tbody></table><h4><span class="label label-primary">Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth</span> <span class="label label-default">oval:ssg-test_pam_faillock_preauth_silent_password-auth:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td> auth required pam_faillock.so preauth silent fail_interval=900 unlock_time=900 deny=3 even_deny_root auth sufficient pam_unix.so nullok try_first_pass </td></tr></tbody></table><h4><span class="label label-primary">Check maximum failed login attempts allowed in /etc/pam.d/password-auth (authfail)</span> <span class="label label-default">oval:ssg-test_pam_faillock_authfail_deny_root_password-auth:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td> auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail fail_interval=900 unlock_time=900 deny=3 even_deny_root </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_enable_pam_namespace" id="rule-detail-idm45662295750512"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Up a Private Namespace in PAM Configurationxccdf_org.ssgproject.content_rule_enable_pam_namespace lowCCE-83744-3 </div><div class="panel-heading"><h3 class="panel-title">Set Up a Private Namespace in PAM Configuration</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_enable_pam_namespace</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-enable_pam_namespace:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:28+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83744-3">CCE-83744-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R39)</a></p></td></tr><tr><td>Description</td><td><div class="description">To setup a private namespace add the following line to <code>/etc/pam.d/login</code>: <pre>session required pam_namespace.so</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The pam_namespace PAM module sets up a private namespace for a session with polyinstantiated directories. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both. The polyinstatied directories can be used to dedicate separate temporary directories to each account.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the presence of pam_namespace.so module in the /etc/pam.d/login file</span> <span class="label label-default">oval:ssg-test_enable_pam_namespace:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/login</td><td>session required pam_namespace.so</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" id="rule-detail-idm45662295619072"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Minimum Length in login.defsxccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs mediumCCE-80652-1 </div><div class="panel-heading"><h3 class="panel-title">Set Password Minimum Length in login.defs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_minlen_login_defs:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80652-1">CCE-80652-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000205</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000078-GPOS-00046</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020231</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230370r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To specify password length requirements for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_LEN <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs">18</abbr></pre> <br><br> The DoD requirement is <code>15</code>. The FISMA requirement is <code>12</code>. The profile requirement is <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs">18</abbr></code>. If a program consults <code>/etc/login.defs</code> and also another PAM module (such as <code>pam_pwquality</code>) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">The value of PASS_MIN_LEN should be set appropriately in /etc/login.defs</span> <span class="label label-default">oval:ssg-test_pass_min_len:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_last_pass_min_len_instance_value:var:1</td><td>18</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" id="rule-detail-idm45662295614208"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Maximum Agexccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs mediumCCE-80647-1 </div><div class="panel-heading"><h3 class="panel-title">Set Password Maximum Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_maximum_age_login_defs:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80647-1">CCE-80647-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.5.1.1</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000199</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="">0418</a>, <a href="">1055</a>, <a href="">1402</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000076-GPOS-00044</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020200</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230366r646878_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To specify password maximum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MAX_DAYS <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs">90</abbr></pre> A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs">90</abbr></code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. <br><br> Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs</span> <span class="label label-default">oval:ssg-test_pass_max_days:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_last_pass_max_days_instance_value:var:1</td><td>90</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_no_direct_root_logins" id="rule-detail-idm45662295586288"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Direct root Logins Not Allowedxccdf_org.ssgproject.content_rule_no_direct_root_logins mediumCCE-80840-2 </div><div class="panel-heading"><h3 class="panel-title">Direct root Logins Not Allowed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_direct_root_logins</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-no_direct_root_logins:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80840-2">CCE-80840-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R19)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.6</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.6</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a></p></td></tr><tr><td>Description</td><td><div class="description">To further limit access to the <code>root</code> account, administrators can disable root logins at the console by editing the <code>/etc/securetty</code> file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on the system, whether via the console or via a raw network interface. This is dangerous as user can login to the system as root via Telnet, which sends the password in plain text over the network. By default, Red Hat Enterprise Linux 8's <code>/etc/securetty</code> file only allows the root user to login at the console physically attached to the system. To prevent root from logging in, remove the contents of this file. To prevent direct root logins, remove the contents of this file by typing the following command: <pre> $ sudo echo > /etc/securetty </pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">no entries in /etc/securetty</span> <span class="label label-default">oval:ssg-test_no_direct_root_logins:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/securetty</td><td></td></tr></tbody></table><h4><span class="label label-primary">/etc/securetty file exists</span> <span class="label label-default">oval:ssg-test_etc_securetty_exists:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/securetty</td><td></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth" id="rule-detail-idm45662295548528"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set number of Password Hashing Rounds - system-authxccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth mediumCCE-83386-3 </div><div class="panel-heading"><h3 class="panel-title">Set number of Password Hashing Rounds - system-auth</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_unix_rounds_system_auth:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83386-3">CCE-83386-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R32)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000196</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000073-GPOS-00041</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010130</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230233r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the <code>rounds</code> option for the <code>pam_unix</code> PAM module. <br><br> In file <code>/etc/pam.d/system-auth</code> append <code>rounds=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_rounds">65536</abbr></code> to the <code>pam_unix.so</code> file, as shown below: <pre>password sufficient pam_unix.so <i>...existing_options...</i> rounds=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_rounds">65536</abbr></pre> The system's default number of rounds is 5000.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Using a higher number of rounds makes password cracking attacks more difficult.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> Setting a high number of hashing rounds makes it more difficult to brute force the password, but requires more CPU resources to authenticate users.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Test if rounds attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_system_auth_pam_unix_rounds_is_set:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2 rounds=65536</td></tr></tbody></table><h4><span class="label label-primary">Test if rounds attribute of pam_unix.so is not set in /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_system_auth_pam_unix_rounds_is_default:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2 rounds=65536</td></tr></tbody></table><h4><span class="label label-primary">Check if value of var_password_pam_unix_rounds is the system's default</span> <span class="label label-default">oval:ssg-test_system_auth_default_pam_unix_rounds_var:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_password_pam_unix_rounds:var:1</td><td>65536</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth" id="rule-detail-idm45662295540944"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set number of Password Hashing Rounds - password-authxccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth mediumCCE-83403-6 </div><div class="panel-heading"><h3 class="panel-title">Set number of Password Hashing Rounds - password-auth</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_unix_rounds_password_auth:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83403-6">CCE-83403-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R32)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000196</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000073-GPOS-00041</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010130</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230233r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the <code>rounds</code> option for the <code>pam_unix</code> PAM module. <br><br> In file <code>/etc/pam.d/password-auth</code> append <code>rounds=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_rounds">65536</abbr></code> to the <code>pam_unix.so</code> file, as shown below: <pre>password sufficient pam_unix.so <i>...existing_options...</i> rounds=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_rounds">65536</abbr></pre> The system's default number of rounds is 5000.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Using a higher number of rounds makes password cracking attacks more difficult.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> Setting a high number of hashing rounds makes it more difficult to brute force the password, but requires more CPU resources to authenticate users.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Test if rounds attribute of pam_unix.so is set correctly in /etc/pam.d/password-auth</span> <span class="label label-default">oval:ssg-test_password_auth_pam_unix_rounds_is_set:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2 rounds=65536</td></tr></tbody></table><h4><span class="label label-primary">Test if rounds attribute of pam_unix.so is not set in /etc/pam.d/password-auth</span> <span class="label label-default">oval:ssg-test_password_auth_pam_unix_rounds_is_default:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2 rounds=65536</td></tr></tbody></table><h4><span class="label label-primary">Check if value of var_password_pam_unix_rounds is the system's default</span> <span class="label label-default">oval:ssg-test_password_auth_default_pam_unix_rounds_var:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_password_pam_unix_rounds:var:1</td><td>65536</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc" id="rule-detail-idm45662295476320"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure the Default Bash Umask is Set Correctlyxccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc mediumCCE-81036-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure the Default Bash Umask is Set Correctly</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_umask_etc_bashrc:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81036-6">CCE-81036-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R35)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.5.4</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.03</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.5</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00228</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020353</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230385r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To ensure the default umask for users of the Bash shell is set properly, add or correct the <code>umask</code> setting in <code>/etc/bashrc</code> to read as follows: <pre>umask <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_user_umask">077</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify the existence of var_accounts_user_umask_as_number variable</span> <span class="label label-default">oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_accounts_user_umask_umask_as_number:var:1</td><td>63</td></tr></tbody></table><h4><span class="label label-primary">Test the retrieved /etc/bashrc umask value(s) match the var_accounts_user_umask requirement</span> <span class="label label-default">oval:ssg-tst_accounts_umask_etc_bashrc:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_etc_bashrc_umask_as_number:var:1</td><td>63</td><td>63</td><td>63</td><td>63</td><td>63</td><td>63</td><td>63</td><td>63</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" id="rule-detail-idm45662295468784"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure the Default Umask is Set Correctly in /etc/profilexccdf_org.ssgproject.content_rule_accounts_umask_etc_profile unknownCCE-81035-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure the Default Umask is Set Correctly in /etc/profile</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_umask_etc_profile:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81035-8">CCE-81035-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R35)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.5.4</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.03</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.5</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00228</a></p></td></tr><tr><td>Description</td><td><div class="description">To ensure the default umask controlled by <code>/etc/profile</code> is set properly, add or correct the <code>umask</code> setting in <code>/etc/profile</code> to read as follows: <pre>umask <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_user_umask">077</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify the existence of var_accounts_user_umask_as_number variable</span> <span class="label label-default">oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_accounts_user_umask_umask_as_number:var:1</td><td>63</td></tr></tbody></table><h4><span class="label label-primary">Test the retrieved /etc/profile umask value(s) match the var_accounts_user_umask requirement</span> <span class="label label-default">oval:ssg-tst_accounts_umask_etc_profile:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_etc_profile_umask_as_number:var:1</td><td>63</td><td>63</td><td>63</td><td>63</td><td>63</td><td>63</td><td>63</td><td>63</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" id="rule-detail-idm45662295463952"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure the Default Umask is Set Correctly in login.defsxccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs mediumCCE-82888-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure the Default Umask is Set Correctly in login.defs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_umask_etc_login_defs:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82888-9">CCE-82888-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R35)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.5</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00228</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020351</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230383r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To ensure the default umask controlled by <code>/etc/login.defs</code> is set properly, add or correct the <code>UMASK</code> setting in <code>/etc/login.defs</code> to read as follows: <pre>UMASK <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_user_umask">077</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify the existence of var_accounts_user_umask_as_number variable</span> <span class="label label-default">oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_accounts_user_umask_umask_as_number:var:1</td><td>63</td></tr></tbody></table><h4><span class="label label-primary">Test the retrieved /etc/login.defs umask value(s) match the var_accounts_user_umask requirement</span> <span class="label label-default">oval:ssg-tst_accounts_umask_etc_login_defs:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_etc_login_defs_umask_as_number:var:1</td><td>63</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp" id="rule-detail-idm45662295525840"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Polyinstantiation of /tmp Directoriesxccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp lowCCE-83732-8 </div><div class="panel-heading"><h3 class="panel-title">Configure Polyinstantiation of /tmp Directories</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_polyinstantiated_tmp:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83732-8">CCE-83732-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R39)</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use the following command: <pre>$ sudo mkdir --mode 000 /tmp/tmp-inst</pre> Then, add the following entry to <code>/etc/security/namespace.conf</code>: <pre>/tmp /tmp/tmp-inst/ level root,adm</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Polyinstantiation of temporary directories is a proactive security measure which reduces chances of attacks that are made possible by /tmp directories being world-writable.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check that /tmp/tmp-inst exists and has mode 000</span> <span class="label label-default">oval:ssg-test_tmp_inst:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/tmp/tmp-inst/</td><td>directory</td><td>0</td><td>0</td><td>57</td><td><code>--------- </code></td></tr></tbody></table><h4><span class="label label-primary">Check configuration of /tmp in /etc/security/namespace.conf file</span> <span class="label label-default">oval:ssg-test_tmp_in_namespace_conf:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/security/namespace.conf</td><td>/tmp /tmp/tmp-inst/ level root,adm</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp" id="rule-detail-idm45662295500832"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Polyinstantiation of /var/tmp Directoriesxccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp lowCCE-83778-1 </div><div class="panel-heading"><h3 class="panel-title">Configure Polyinstantiation of /var/tmp Directories</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_polyinstantiated_var_tmp:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83778-1">CCE-83778-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R39)</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use the following command: <pre>$ sudo mkdir --mode 000 /var/tmp/tmp-inst</pre> Then, add the following entry to <code>/etc/security/namespace.conf</code>: <pre>/var/tmp /var/tmp/tmp-inst/ level root,adm</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Polyinstantiation of temporary directories is a proactive security measure which reduces chances of attacks that are made possible by /var/tmp directories being world-writable.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check that /tmp-inst exists and has mode 000</span> <span class="label label-default">oval:ssg-test_var_tmp_tmp_inst:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/var/tmp/tmp-inst/</td><td>directory</td><td>0</td><td>0</td><td>57</td><td><code>--------- </code></td></tr></tbody></table><h4><span class="label label-primary">Check configuration of /tmp in /etc/security/namespace.conf file</span> <span class="label label-default">oval:ssg-test_var_tmp_in_namespace_conf:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/security/namespace.conf</td><td>/var/tmp /var/tmp/tmp-inst/ level root,adm</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_tmout" id="rule-detail-idm45662295496832"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Interactive Session Timeoutxccdf_org.ssgproject.content_rule_accounts_tmout mediumCCE-80673-7 </div><div class="panel-heading"><h3 class="panel-title">Set Interactive Session Timeout</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_tmout</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_tmout:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80673-7">CCE-80673-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R29)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.5.3</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000057</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002361</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000163-GPOS-00072</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000029-GPOS-00010</a>, <a href="">SRG-OS-000163-VMM-000700</a>, <a href="">SRG-OS-000279-VMM-001010</a></p></td></tr><tr><td>Description</td><td><div class="description">Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The <code>TMOUT</code> setting in a file loaded by <code>/etc/profile</code>, e.g. <code>/etc/profile.d/tmout.sh</code> should read as follows: <pre>TMOUT=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_tmout">600</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">TMOUT in /etc/profile</span>Â <span class="label label-default">oval:ssg-test_etc_profile_tmout:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_etc_profile_tmout:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/profile</td><td>^[\s]*TMOUT=([\w$]+).*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">TMOUT in /etc/profile.d/*.sh</span>Â <span class="label label-default">oval:ssg-test_etc_profiled_tmout:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/profile.d/tmout.sh</td><td>TMOUT=600</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" id="rule-detail-idm45662295094256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - sudoxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo mediumCCE-80737-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - sudo</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_privileged_commands_sudo:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80737-0">CCE-80737-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R19)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.2.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="">SRG-OS-000471-VMM-001910</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add a line of the following form to <code>/etc/audit/audit.rules</code>: <pre>-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules sudo</span>Â <span class="label label-default">oval:ssg-test_audit_rules_privileged_commands_sudo_augenrules:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/rules.d/privileged.rules</td><td>-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged </td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl sudo</span>Â <span class="label label-default">oval:ssg-test_audit_rules_privileged_commands_sudo_auditctl:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" id="rule-detail-idm45662294879648"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Kernel Parameter for Accepting Secure Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects mediumCCE-81017-6 </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting Secure Redirects By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81017-6">CCE-81017-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.3</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.default.secure_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.default.secure_redirects = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.default.secure_redirects static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_default_secure_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-81017-6: Set net.ipv4.conf.default.secure_redirects = 0 in /etc/sysctl.conf net.ipv4.conf.default.secure_redirects = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_secure_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-81017-6: Set net.ipv4.conf.default.secure_redirects = 0 in /etc/sysctl.conf net.ipv4.conf.default.secure_redirects = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_secure_redirects:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_secure_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_secure_redirects:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_secure_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.default.secure_redirects set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_secure_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.default.secure_redirects</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" id="rule-detail-idm45662294874736"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Accepting ICMP Redirects for All IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects mediumCCE-80917-8 </div><div class="panel-heading"><h3 class="panel-title">Disable Accepting ICMP Redirects for All IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:29+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80917-8">CCE-80917-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.2</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001503</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040280</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230544r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.all.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.all.accept_redirects = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. <br> This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.all.accept_redirects static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_all_accept_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-80917-8: Set net.ipv4.conf.all.accept_redirects = 0 in /etc/sysctl.conf net.ipv4.conf.all.accept_redirects = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_accept_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-80917-8: Set net.ipv4.conf.all.accept_redirects = 0 in /etc/sysctl.conf net.ipv4.conf.all.accept_redirects = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_accept_redirects:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_accept_redirects:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_accept_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.all.accept_redirects</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" id="rule-detail-idm45662294867760"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route mediumCCE-80920-2 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80920-2">CCE-80920-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.1</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040250</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230539r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.default.accept_source_route = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. <br> Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.default.accept_source_route static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_default_accept_source_route:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-80920-2: Set net.ipv4.conf.default.accept_source_route = 0 in /etc/sysctl.conf net.ipv4.conf.default.accept_source_route = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_accept_source_route:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-80920-2: Set net.ipv4.conf.default.accept_source_route = 0 in /etc/sysctl.conf net.ipv4.conf.default.accept_source_route = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_accept_source_route:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_accept_source_route:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_accept_source_route:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.default.accept_source_route</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" id="rule-detail-idm45662294862832"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies mediumCCE-80923-6 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80923-6">CCE-80923-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.8</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001095</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(3)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000420-GPOS-00186</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000142-GPOS-00071</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.tcp_syncookies</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.tcp_syncookies=1</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.tcp_syncookies = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.tcp_syncookies static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_tcp_syncookies:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-80923-6: Set net.ipv4.tcp_syncookies = 1 in /etc/sysctl.conf net.ipv4.tcp_syncookies = 1 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_tcp_syncookies:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-80923-6: Set net.ipv4.tcp_syncookies = 1 in /etc/sysctl.conf net.ipv4.tcp_syncookies = 1 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_tcp_syncookies:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_tcp_syncookies:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_tcp_syncookies:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_tcp_syncookies:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.tcp_syncookies set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_tcp_syncookies:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.tcp_syncookies</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range" id="rule-detail-idm45662294857984"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Kernel Parameter to Increase Local Port Rangexccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range mediumCCE-84277-3 </div><div class="panel-heading"><h3 class="panel-title">Set Kernel Parameter to Increase Local Port Range</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_ip_local_port_range:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84277-3">CCE-84277-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.ip_local_port_range</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.ip_local_port_range=32768 65535</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.ip_local_port_range = 32768 65535</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">This setting defines the local port range that is used by TCP and UDP to choose the local port. The first number is the first, the second the last local port number.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.ip_local_port_range static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_ip_local_port_range:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>net.ipv4.ip_local_port_range = 32768 65535 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.ip_local_port_range static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_ip_local_port_range:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>net.ipv4.ip_local_port_range = 32768 65535 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.ip_local_port_range static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_ip_local_port_range:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_ip_local_port_range:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.ip_local_port_range[\s]*=[\s]*32768\s*65535[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.ip_local_port_range static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_ip_local_port_range:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_ip_local_port_range:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.ip_local_port_range[\s]*=[\s]*32768\s*65535[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.ip_local_port_range set to 32768 65535</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_ip_local_port_range:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.ip_local_port_range</td><td>32768 65535</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" id="rule-detail-idm45662294853984"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects mediumCCE-80919-4 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80919-4">CCE-80919-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.2</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040210</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230535r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.default.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.default.accept_redirects = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. <br>This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.default.accept_redirects static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_default_accept_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-80919-4: Set net.ipv4.conf.default.accept_redirects = 0 in /etc/sysctl.conf net.ipv4.conf.default.accept_redirects = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_accept_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-80919-4: Set net.ipv4.conf.default.accept_redirects = 0 in /etc/sysctl.conf net.ipv4.conf.default.accept_redirects = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_accept_redirects:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_accept_redirects:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_accept_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.default.accept_redirects</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" id="rule-detail-idm45662294849072"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians unknownCCE-81018-4 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_all_log_martians:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81018-4">CCE-81018-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.4</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(3)(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.all.log_martians</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.log_martians=1</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.all.log_martians = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.all.log_martians static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_all_log_martians:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-81018-4: Set net.ipv4.conf.all.log_martians = 1 in /etc/sysctl.conf net.ipv4.conf.all.log_martians = 1 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_log_martians:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-81018-4: Set net.ipv4.conf.all.log_martians = 1 in /etc/sysctl.conf net.ipv4.conf.all.log_martians = 1 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_log_martians:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_log_martians:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_log_martians:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_log_martians:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.all.log_martians set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_log_martians:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.all.log_martians</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" id="rule-detail-idm45662294844192"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses unknownCCE-81023-4 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81023-4">CCE-81023-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.6</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.icmp_ignore_bogus_error_responses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.icmp_ignore_bogus_error_responses = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.icmp_ignore_bogus_error_responses static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-81023-4: Set net.ipv4.icmp_ignore_bogus_error_responses = 1 in /etc/sysctl.conf net.ipv4.icmp_ignore_bogus_error_responses = 1 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-81023-4: Set net.ipv4.icmp_ignore_bogus_error_responses = 1 in /etc/sysctl.conf net.ipv4.icmp_ignore_bogus_error_responses = 1 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_icmp_ignore_bogus_error_responses:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.icmp_ignore_bogus_error_responses</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" id="rule-detail-idm45662294839264"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter mediumCCE-81022-6 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_default_rp_filter:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81022-6">CCE-81022-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.7</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.default.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.default.rp_filter = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.default.rp_filter static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_default_rp_filter:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-81022-6: Set net.ipv4.conf.default.rp_filter = 1 in /etc/sysctl.conf net.ipv4.conf.default.rp_filter = 1 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_rp_filter:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-81022-6: Set net.ipv4.conf.default.rp_filter = 1 in /etc/sysctl.conf net.ipv4.conf.default.rp_filter = 1 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_rp_filter:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_rp_filter:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_rp_filter:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_rp_filter:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.default.rp_filter set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_rp_filter:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.default.rp_filter</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" id="rule-detail-idm45662294834368"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects mediumCCE-81016-8 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81016-8">CCE-81016-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.3</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001503</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.all.secure_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.all.secure_redirects = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.all.secure_redirects static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_all_secure_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-81016-8: Set net.ipv4.conf.all.secure_redirects = 0 in /etc/sysctl.conf net.ipv4.conf.all.secure_redirects = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_secure_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-81016-8: Set net.ipv4.conf.all.secure_redirects = 0 in /etc/sysctl.conf net.ipv4.conf.all.secure_redirects = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_secure_redirects:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_secure_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_secure_redirects:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_secure_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.all.secure_redirects set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_secure_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.all.secure_redirects</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" id="rule-detail-idm45662294829456"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route mediumCCE-81011-9 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81011-9">CCE-81011-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.1</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040240</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230538r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.all.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.all.accept_source_route = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router. <br><br> Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.all.accept_source_route static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_all_accept_source_route:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_conf_all_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_accept_source_route:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_accept_source_route:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_accept_source_route:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d/50-default.conf</td><td># Do not accept source routing net.ipv4.conf.all.accept_source_route = 0 </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_accept_source_route:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.all.accept_source_route</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337" id="rule-detail-idm45662294824544"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337 mediumCCE-84270-8 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_tcp_rfc1337:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:30+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84270-8">CCE-84270-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.tcp_rfc1337</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.tcp_rfc1337=1</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.tcp_rfc1337 = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Enable TCP behavior conformant with RFC 1337. When disabled, if a RST is received in TIME_WAIT state, we close the socket immediately without waiting for the end of the TIME_WAIT period.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.tcp_rfc1337 static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_tcp_rfc1337:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84270-8: Set net.ipv4.tcp_rfc1337 = 1 in /etc/sysctl.conf net.ipv4.tcp_rfc1337 = 1 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.tcp_rfc1337 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_tcp_rfc1337:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84270-8: Set net.ipv4.tcp_rfc1337 = 1 in /etc/sysctl.conf net.ipv4.tcp_rfc1337 = 1 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.tcp_rfc1337 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_tcp_rfc1337:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_tcp_rfc1337:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.tcp_rfc1337[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.tcp_rfc1337 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_tcp_rfc1337:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_tcp_rfc1337:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.tcp_rfc1337[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.tcp_rfc1337 set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_tcp_rfc1337:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.tcp_rfc1337</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" id="rule-detail-idm45662294814256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter mediumCCE-81021-8 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81021-8">CCE-81021-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.7</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040285</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230549r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.all.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.all.rp_filter = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.all.rp_filter static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_all_rp_filter:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_conf_all_rp_filter:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_rp_filter:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_rp_filter:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_rp_filter:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_rp_filter:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_rp_filter:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d/50-default.conf</td><td># Source route verification net.ipv4.conf.all.rp_filter = 1 </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.all.rp_filter set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_rp_filter:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.all.rp_filter</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" id="rule-detail-idm45662294809392"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects mediumCCE-80921-0 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80921-0">CCE-80921-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.1.2</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040270</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230543r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.default.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.default.send_redirects = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. <br> The ability to send ICMP redirects is only appropriate for systems acting as routers.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.default.send_redirects static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_default_send_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>net.ipv4.conf.default.send_redirects = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_send_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>net.ipv4.conf.default.send_redirects = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_send_redirects:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_send_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_send_redirects:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_send_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_send_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.default.send_redirects</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" id="rule-detail-idm45662294805360"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects mediumCCE-80918-6 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80918-6">CCE-80918-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.1.2</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040220</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230536r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.conf.all.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.all.send_redirects = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. <br> The ability to send ICMP redirects is only appropriate for systems acting as routers.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.all.send_redirects static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_all_send_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>net.ipv4.conf.all.send_redirects = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_send_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>net.ipv4.conf.all.send_redirects = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_send_redirects:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_send_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_send_redirects:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_send_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_send_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.all.send_redirects</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" id="rule-detail-idm45662294801344"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for IP Forwarding on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward mediumCCE-81024-2 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_ip_forward:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81024-2">CCE-81024-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.1.1</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040260</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230540r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv4.ip_forward</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.ip_forward=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.ip_forward = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking. Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in profiles or benchmarks that target usage of IPv4 forwarding.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.ip_forward static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_ip_forward:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>net.ipv4.ip_forward = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_ip_forward:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>net.ipv4.ip_forward = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_ip_forward:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_ip_forward:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_ip_forward:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_ip_forward:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.ip_forward set to 0</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_ip_forward:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.ip_forward</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" id="rule-detail-idm45662294785744"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects mediumCCE-81010-1 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81010-1">CCE-81010-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.2</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040210</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230535r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.default.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.default.accept_redirects = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit ICMP redirect message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_redirects static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-81010-1: Set net.ipv6.conf.default.accept_redirects = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_redirects = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-81010-1: Set net.ipv6.conf.default.accept_redirects = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_redirects = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_redirects:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_redirects:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.default.accept_redirects</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref" id="rule-detail-idm45662294780832"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref unknownCCE-84288-0 </div><div class="panel-heading"><h3 class="panel-title">Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:31+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84288-0">CCE-84288-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.all.accept_ra_rtr_pref</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_ra_rtr_pref=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.all.accept_ra_rtr_pref = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit router advertisement message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_rtr_pref static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84288-0: Set net.ipv6.conf.all.accept_ra_rtr_pref = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_ra_rtr_pref = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_rtr_pref static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_ra_rtr_pref:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84288-0: Set net.ipv6.conf.all.accept_ra_rtr_pref = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_ra_rtr_pref = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_rtr_pref static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_ra_rtr_pref:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_ra_rtr_pref:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_rtr_pref static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra_rtr_pref:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra_rtr_pref:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.accept_ra_rtr_pref set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_ra_rtr_pref:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.accept_ra_rtr_pref</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses" id="rule-detail-idm45662294775920"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses unknownCCE-84257-5 </div><div class="panel-heading"><h3 class="panel-title">Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_default_max_addresses:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:31+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84257-5">CCE-84257-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.default.max_addresses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.max_addresses=1</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.default.max_addresses = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.max_addresses static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_default_max_addresses:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84257-5: Set net.ipv6.conf.default.max_addresses = 1 in /etc/sysctl.conf net.ipv6.conf.default.max_addresses = 1 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.max_addresses static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_max_addresses:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84257-5: Set net.ipv6.conf.default.max_addresses = 1 in /etc/sysctl.conf net.ipv6.conf.default.max_addresses = 1 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.max_addresses static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_max_addresses:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_max_addresses:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.max_addresses[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.max_addresses static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_max_addresses:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_max_addresses:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.max_addresses[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.default.max_addresses set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_max_addresses:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.default.max_addresses</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route" id="rule-detail-idm45662294765584"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route mediumCCE-81015-0 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81015-0">CCE-81015-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.1</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040250</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230539r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.default.accept_source_route = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_source_route static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_source_route:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-81015-0: Set net.ipv6.conf.default.accept_source_route = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_source_route = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_source_route:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-81015-0: Set net.ipv6.conf.default.accept_source_route = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_source_route = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_source_route:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_source_route:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_source_route:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.default.accept_source_route</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations" id="rule-detail-idm45662294758592"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Denying Router Solicitations on All IPv6 Interfaces By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations unknownCCE-83477-0 </div><div class="panel-heading"><h3 class="panel-title">Configure Denying Router Solicitations on All IPv6 Interfaces By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_default_router_solicitations:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83477-0">CCE-83477-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.default.router_solicitations</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.router_solicitations=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.default.router_solicitations = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">To prevent discovery of the system by other systems, router solicitation requests should be denied.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.router_solicitations static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_default_router_solicitations:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-83477-0: Set net.ipv6.conf.default.router_solicitations = 0 in /etc/sysctl.conf net.ipv6.conf.default.router_solicitations = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.router_solicitations static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_router_solicitations:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-83477-0: Set net.ipv6.conf.default.router_solicitations = 0 in /etc/sysctl.conf net.ipv6.conf.default.router_solicitations = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.router_solicitations static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_router_solicitations:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_router_solicitations:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.router_solicitations static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_router_solicitations:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_router_solicitations:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.default.router_solicitations set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_router_solicitations:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.default.router_solicitations</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" id="rule-detail-idm45662294753664"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route mediumCCE-81013-5 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81013-5">CCE-81013-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.2.1</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040240</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230538r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.all.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.all.accept_source_route = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. <br><br> Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_source_route static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_source_route:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-81013-5: Set net.ipv6.conf.all.accept_source_route = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_source_route = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_source_route:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-81013-5: Set net.ipv6.conf.all.accept_source_route = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_source_route = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_source_route:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_source_route:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_source_route:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.accept_source_route</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf" id="rule-detail-idm45662294746048"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Auto Configuration on All IPv6 Interfaces By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf unknownCCE-84264-1 </div><div class="panel-heading"><h3 class="panel-title">Configure Auto Configuration on All IPv6 Interfaces By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_default_autoconf:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84264-1">CCE-84264-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.default.autoconf</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.autoconf=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.default.autoconf = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit router advertisement message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.autoconf static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_default_autoconf:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84264-1: Set net.ipv6.conf.default.autoconf = 0 in /etc/sysctl.conf net.ipv6.conf.default.autoconf = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.autoconf static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_autoconf:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84264-1: Set net.ipv6.conf.default.autoconf = 0 in /etc/sysctl.conf net.ipv6.conf.default.autoconf = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.autoconf static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_autoconf:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_autoconf:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.autoconf[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.autoconf static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_autoconf:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_autoconf:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.autoconf[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.default.autoconf set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_autoconf:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.default.autoconf</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo" id="rule-detail-idm45662294741168"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo unknownCCE-84280-7 </div><div class="panel-heading"><h3 class="panel-title">Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_all_accept_ra_pinfo:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84280-7">CCE-84280-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.all.accept_ra_pinfo</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.all.accept_ra_pinfo = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit router advertisement message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_pinfo static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_ra_pinfo:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84280-7: Set net.ipv6.conf.all.accept_ra_pinfo = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_ra_pinfo = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_pinfo static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_ra_pinfo:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84280-7: Set net.ipv6.conf.all.accept_ra_pinfo = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_ra_pinfo = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_pinfo static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_ra_pinfo:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_ra_pinfo:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_pinfo static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra_pinfo:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra_pinfo:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.accept_ra_pinfo set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_ra_pinfo:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.accept_ra_pinfo</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf" id="rule-detail-idm45662294734208"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Auto Configuration on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf unknownCCE-84266-6 </div><div class="panel-heading"><h3 class="panel-title">Configure Auto Configuration on All IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_all_autoconf:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84266-6">CCE-84266-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.all.autoconf</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.autoconf=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.all.autoconf = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit router advertisement message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.autoconf static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_autoconf:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84266-6: Set net.ipv6.conf.all.autoconf = 0 in /etc/sysctl.conf net.ipv6.conf.all.autoconf = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.autoconf static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_autoconf:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84266-6: Set net.ipv6.conf.all.autoconf = 0 in /etc/sysctl.conf net.ipv6.conf.all.autoconf = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.autoconf static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_autoconf:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_autoconf:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.autoconf[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.autoconf static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_autoconf:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_autoconf:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.autoconf[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.autoconf set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_autoconf:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.autoconf</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr" id="rule-detail-idm45662294729344"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr unknownCCE-84268-2 </div><div class="panel-heading"><h3 class="panel-title">Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_default_accept_ra_defrtr:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84268-2">CCE-84268-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.default.accept_ra_defrtr</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_ra_defrtr=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.default.accept_ra_defrtr = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit router advertisement message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_defrtr static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_ra_defrtr:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84268-2: Set net.ipv6.conf.default.accept_ra_defrtr = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_ra_defrtr = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_defrtr static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_ra_defrtr:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84268-2: Set net.ipv6.conf.default.accept_ra_defrtr = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_ra_defrtr = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_defrtr static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_ra_defrtr:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_ra_defrtr:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_defrtr static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra_defrtr:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra_defrtr:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.default.accept_ra_defrtr set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_ra_defrtr:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.default.accept_ra_defrtr</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses" id="rule-detail-idm45662294724432"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses unknownCCE-84259-1 </div><div class="panel-heading"><h3 class="panel-title">Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_all_max_addresses:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84259-1">CCE-84259-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.all.max_addresses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.max_addresses=1</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.all.max_addresses = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.max_addresses static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_max_addresses:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84259-1: Set net.ipv6.conf.all.max_addresses = 1 in /etc/sysctl.conf net.ipv6.conf.all.max_addresses = 1 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.max_addresses static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_max_addresses:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84259-1: Set net.ipv6.conf.all.max_addresses = 1 in /etc/sysctl.conf net.ipv6.conf.all.max_addresses = 1 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.max_addresses static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_max_addresses:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_max_addresses:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.max_addresses[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.max_addresses static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_max_addresses:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_max_addresses:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.max_addresses[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.max_addresses set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_max_addresses:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.max_addresses</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo" id="rule-detail-idm45662294719536"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo unknownCCE-84051-2 </div><div class="panel-heading"><h3 class="panel-title">Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84051-2">CCE-84051-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.default.accept_ra_pinfo</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_ra_pinfo=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.default.accept_ra_pinfo = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit router advertisement message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_pinfo static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_ra_pinfo:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84051-2: Set net.ipv6.conf.default.accept_ra_pinfo = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_ra_pinfo = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_pinfo static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_ra_pinfo:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84051-2: Set net.ipv6.conf.default.accept_ra_pinfo = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_ra_pinfo = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_pinfo static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_ra_pinfo:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_ra_pinfo:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_pinfo static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra_pinfo:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra_pinfo:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.default.accept_ra_pinfo set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_ra_pinfo:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.default.accept_ra_pinfo</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" id="rule-detail-idm45662294714624"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref unknownCCE-84291-4 </div><div class="panel-heading"><h3 class="panel-title">Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_default_accept_ra_rtr_pref:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84291-4">CCE-84291-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.default.accept_ra_rtr_pref</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_ra_rtr_pref=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.default.accept_ra_rtr_pref = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit router advertisement message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_rtr_pref static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84291-4: Set net.ipv6.conf.default.accept_ra_rtr_pref = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_ra_rtr_pref = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_rtr_pref static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_ra_rtr_pref:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84291-4: Set net.ipv6.conf.default.accept_ra_rtr_pref = 0 in /etc/sysctl.conf net.ipv6.conf.default.accept_ra_rtr_pref = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_rtr_pref static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_ra_rtr_pref:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_ra_rtr_pref:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra_rtr_pref static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra_rtr_pref:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra_rtr_pref:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.default.accept_ra_rtr_pref set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_ra_rtr_pref:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.default.accept_ra_rtr_pref</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" id="rule-detail-idm45662294709696"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Accepting ICMP Redirects for All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects mediumCCE-81009-3 </div><div class="panel-heading"><h3 class="panel-title">Disable Accepting ICMP Redirects for All IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81009-3">CCE-81009-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.3.2</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040280</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230544r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.all.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.all.accept_redirects = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit ICMP redirect message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_redirects static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-81009-3: Set net.ipv6.conf.all.accept_redirects = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_redirects = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-81009-3: Set net.ipv6.conf.all.accept_redirects = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_redirects = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_redirects:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_redirects:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_redirects:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.accept_redirects</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations" id="rule-detail-idm45662294702080"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Denying Router Solicitations on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations unknownCCE-84109-8 </div><div class="panel-heading"><h3 class="panel-title">Configure Denying Router Solicitations on All IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_all_router_solicitations:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:32+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84109-8">CCE-84109-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.all.router_solicitations</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.router_solicitations=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.all.router_solicitations = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">To prevent discovery of the system by other systems, router solicitation requests should be denied.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.router_solicitations static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_router_solicitations:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84109-8: Set net.ipv6.conf.all.router_solicitations = 0 in /etc/sysctl.conf net.ipv6.conf.all.router_solicitations = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.router_solicitations static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_router_solicitations:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84109-8: Set net.ipv6.conf.all.router_solicitations = 0 in /etc/sysctl.conf net.ipv6.conf.all.router_solicitations = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.router_solicitations static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_router_solicitations:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_router_solicitations:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.router_solicitations static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_router_solicitations:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_router_solicitations:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.router_solicitations set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_router_solicitations:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.router_solicitations</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr" id="rule-detail-idm45662294697168"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Accepting Default Router in Router Advertisements on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr unknownCCE-84272-4 </div><div class="panel-heading"><h3 class="panel-title">Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84272-4">CCE-84272-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.ipv6.conf.all.accept_ra_defrtr</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_ra_defrtr=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.all.accept_ra_defrtr = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">An illicit router advertisement message could result in a man-in-the-middle attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_defrtr static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_ra_defrtr:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td># Per CCE-84272-4: Set net.ipv6.conf.all.accept_ra_defrtr = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_ra_defrtr = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_defrtr static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_ra_defrtr:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td># Per CCE-84272-4: Set net.ipv6.conf.all.accept_ra_defrtr = 0 in /etc/sysctl.conf net.ipv6.conf.all.accept_ra_defrtr = 0 </td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_defrtr static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_ra_defrtr:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_ra_defrtr:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra_defrtr static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra_defrtr:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra_defrtr:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.accept_ra_defrtr set to the appropriate value</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_ra_defrtr:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.accept_ra_defrtr</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_logrotate_activated" id="rule-detail-idm45662294650352"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Logrotate Runs Periodicallyxccdf_org.ssgproject.content_rule_ensure_logrotate_activated mediumCCE-80794-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure Logrotate Runs Periodically</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_logrotate_activated</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_logrotate_activated:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80794-1">CCE-80794-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT12(R18)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.3</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.7</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>logrotate</code> utility allows for the automatic rotation of log files. The frequency of rotation is specified in <code>/etc/logrotate.conf</code>, which triggers a cron task. To configure logrotate to run daily, add or correct the following line in <code>/etc/logrotate.conf</code>: <pre># rotate log files <i>frequency</i> daily</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Tests the presence of daily setting in /etc/logrotate.conf file</span>Â <span class="label label-default">oval:ssg-test_logrotate_conf_daily_setting:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/logrotate.conf</td><td>daily </td></tr></tbody></table><h4><span class="label label-primary">Test if there is no weekly/monthly/yearly keyword</span>Â <span class="label label-default">oval:ssg-test_logrotate_conf_no_other_keyword:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_logrotate_conf_no_other_keyword:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/logrotate.conf</td><td>^\s*(weekly|monthly|yearly)[\s#]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Tests the existence of /etc/cron.daily/logrotate file (and verify it actually calls logrotate utility)</span>Â <span class="label label-default">oval:ssg-test_cron_daily_logrotate_existence:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/cron.daily/logrotate</td><td> /usr/sbin/logrotate /etc/logrotate.conf</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" id="rule-detail-idm45662294646352"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Logs Sent To Remote Hostxccdf_org.ssgproject.content_rule_rsyslog_remote_loghost mediumCCE-80863-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure Logs Sent To Remote Host</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_remote_loghost:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80863-4">CCE-80863-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R7)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R43)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT12(R5)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.2.1.5</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001348</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000136</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(6)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(8)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(a)(2)(i)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(a)(2)(iii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(2)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-030690</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230479r627750_rule</a>, <a href="">SRG-OS-000032-VMM-000130</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure rsyslog to send logs to a remote log server, open <code>/etc/rsyslog.conf</code> and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting <code><i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr></i></code> appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. <br> To use UDP for log message delivery: <pre>*.* @<i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr></i></pre> <br> To use TCP for log message delivery: <pre>*.* @@<i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr></i></pre> <br> To use RELP for log message delivery: <pre>*.* :omrelp:<i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr></i></pre> <br> There must be a resolvable DNS CNAME or Alias record set to "<abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr>" for logs to be sent correctly to the centralized logging utility.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Ensures system configured to export logs to remote host</span>Â <span class="label label-default">oval:ssg-test_remote_rsyslog_conf:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/rsyslog.conf</td><td>*.* @</td></tr></tbody></table><h4><span class="label label-primary">Ensures system configured to export logs to remote host</span>Â <span class="label label-default">oval:ssg-test_remote_rsyslog_d:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_remote_loghost_rsyslog_d:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/rsyslog.d</td><td>.*</td><td>^\*\.\*[\s]+(?:@|\:omrelp\:)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_tls" id="rule-detail-idm45662294642368"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure TLS for rsyslog remote loggingxccdf_org.ssgproject.content_rule_rsyslog_remote_tls mediumCCE-82457-3 </div><div class="panel-heading"><h3 class="panel-title">Configure TLS for rsyslog remote logging</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_remote_tls</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_remote_tls:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82457-3">CCE-82457-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_TLSC_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</a></p></td></tr><tr><td>Description</td><td><div class="description">Configure <code>rsyslog</code> to use Transport Layer Security (TLS) support for logging to remote server for the Forwarding Output Module in <code>/etc/rsyslog.conf</code> using action. You can use the following command: <pre>echo 'action(type="omfwd" protocol="tcp" Target="<remote system>" port="6514" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" streamdriver.CheckExtendedKeyPurpose="on")' >> /etc/rsyslog.conf </pre> Replace the <code><remote system></code> in the above command with an IP address or a host name of the remote logging server.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">For protection of data being logged, the connection to the remote logging server needs to be authenticated and encrypted.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the omfwd action configuration</span>Â <span class="label label-default">oval:ssg-test_rsyslog_remote_tls:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rsyslog_remote_tls:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>no value</td><td>^/etc/rsyslog\.(conf|d/.+\.conf)$</td><td>^\s*action\((?i)type(?-i)="omfwd"(.+?)\)</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert" id="rule-detail-idm45662294638400"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure CA certificate for rsyslog remote loggingxccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert mediumCCE-82458-1 </div><div class="panel-heading"><h3 class="panel-title">Configure CA certificate for rsyslog remote logging</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_remote_tls_cacert:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82458-1">CCE-82458-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_TLSC_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">Configure CA certificate for <code>rsyslog</code> logging to remote server using Transport Layer Security (TLS) using correct path for the <code>DefaultNetstreamDriverCAFile</code> global option in <code>/etc/rsyslog.conf</code>, for example with the following command: <pre>echo 'global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem")' >> /etc/rsyslog.conf</pre> Replace the <code>/etc/pki/tls/cert.pem</code> in the above command with the path to the file with CA certificate generated for the purpose of remote logging.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The CA certificate needs to be set or <code>rsyslog.service</code> fails to start with <pre>error: ca certificate is not set, cannot continue</pre></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the DefaultNetstreamDriverCAFile configuration</span>Â <span class="label label-default">oval:ssg-test_rsyslog_remote_tls_cacert:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rsyslog_remote_tls_cacert:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/rsyslog\.(conf|d/.+\.conf)$</td><td>^\s*global\(DefaultNetstreamDriverCAFile="(.+?)"\)\s*\n</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" id="rule-detail-idm45662294616640"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Log Files Are Owned By Appropriate Groupxccdf_org.ssgproject.content_rule_rsyslog_files_groupownership mediumCCE-80860-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure Log Files Are Owned By Appropriate Group</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_files_groupownership:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80860-0">CCE-80860-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001314</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a></p></td></tr><tr><td>Description</td><td><div class="description">The group-owner of all log files written by <code>rsyslog</code> should be <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_file_groupowner_logfiles_value">root</abbr></code>. These log files are determined by the second part of each Rule line in <code>/etc/rsyslog.conf</code> and typically all appear in <code>/var/log</code>. For each log file <i>LOGFILE</i> referenced in <code>/etc/rsyslog.conf</code>, run the following command to inspect the file's group owner: <pre>$ ls -l <i>LOGFILE</i></pre> If the owner is not <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_file_groupowner_logfiles_value">root</abbr></code>, run the following command to correct this: <pre>$ sudo chgrp <abbr title="from TestResult: xccdf_org.ssgproject.content_value_file_groupowner_logfiles_value">root</abbr> <i>LOGFILE</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">System log files are owned by the appropriate group</span>Â <span class="label label-default">oval:ssg-test_rsyslog_files_groupownership:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/var/log/maillog</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/messages</td><td>regular</td><td>0</td><td>0</td><td>312093</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/cron</td><td>regular</td><td>0</td><td>0</td><td>967</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/boot.log</td><td>regular</td><td>0</td><td>0</td><td>7596</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/spooler</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/secure</td><td>regular</td><td>0</td><td>0</td><td>2482</td><td><code>rw-------Â </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" id="rule-detail-idm45662294612640"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Log Files Are Owned By Appropriate Userxccdf_org.ssgproject.content_rule_rsyslog_files_ownership mediumCCE-80861-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure Log Files Are Owned By Appropriate User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_files_ownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_files_ownership:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80861-8">CCE-80861-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001314</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a></p></td></tr><tr><td>Description</td><td><div class="description">The owner of all log files written by <code>rsyslog</code> should be <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_file_owner_logfiles_value">root</abbr></code>. These log files are determined by the second part of each Rule line in <code>/etc/rsyslog.conf</code> and typically all appear in <code>/var/log</code>. For each log file <i>LOGFILE</i> referenced in <code>/etc/rsyslog.conf</code>, run the following command to inspect the file's owner: <pre>$ ls -l <i>LOGFILE</i></pre> If the owner is not <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_file_owner_logfiles_value">root</abbr></code>, run the following command to correct this: <pre>$ sudo chown <abbr title="from TestResult: xccdf_org.ssgproject.content_value_file_owner_logfiles_value">root</abbr> <i>LOGFILE</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">System log files are owned by the appropriate user</span>Â <span class="label label-default">oval:ssg-test_rsyslog_files_ownership:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/var/log/maillog</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/messages</td><td>regular</td><td>0</td><td>0</td><td>312093</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/cron</td><td>regular</td><td>0</td><td>0</td><td>967</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/boot.log</td><td>regular</td><td>0</td><td>0</td><td>7596</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/spooler</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/secure</td><td>regular</td><td>0</td><td>0</td><td>2482</td><td><code>rw-------Â </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_files_permissions" id="rule-detail-idm45662294608656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure System Log Files Have Correct Permissionsxccdf_org.ssgproject.content_rule_rsyslog_files_permissions mediumCCE-80862-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure System Log Files Have Correct Permissions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_files_permissions</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_files_permissions:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80862-6">CCE-80862-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.2.1.3</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001314</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a></p></td></tr><tr><td>Description</td><td><div class="description">The file permissions for all log files written by <code>rsyslog</code> should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in <code>/etc/rsyslog.conf</code> and typically all appear in <code>/var/log</code>. For each log file <i>LOGFILE</i> referenced in <code>/etc/rsyslog.conf</code>, run the following command to inspect the file's permissions: <pre>$ ls -l <i>LOGFILE</i></pre> If the permissions are not 600 or more restrictive, run the following command to correct this: <pre>$ sudo chmod 0600 <i>LOGFILE</i></pre>"</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Permissions of system log files are correct</span>Â <span class="label label-default">oval:ssg-test_rsyslog_files_permissions:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/var/log/maillog</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/messages</td><td>regular</td><td>0</td><td>0</td><td>312093</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/cron</td><td>regular</td><td>0</td><td>0</td><td>967</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/boot.log</td><td>regular</td><td>0</td><td>0</td><td>7596</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/spooler</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/secure</td><td>regular</td><td>0</td><td>0</td><td>2482</td><td><code>rw-------Â </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed" id="rule-detail-idm45662294664400"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure rsyslog-gnutls is installedxccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed mediumCCE-82859-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure rsyslog-gnutls is installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_rsyslog-gnutls_installed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82859-0">CCE-82859-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-030680</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230478r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">TLS protocol support for rsyslog is installed. The <code>rsyslog-gnutls</code> package can be installed with the following command: <pre> $ sudo yum install rsyslog-gnutls</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsyslog-gnutls is installed</span>Â <span class="label label-default">oval:ssg-test_package_rsyslog-gnutls_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>rsyslog-gnutls</td><td>x86_64</td><td>(none)</td><td>7.el8_4.2</td><td>8.1911.0</td><td>0:8.1911.0-7.el8_4.2</td><td>199e2f91fd431d51</td><td>rsyslog-gnutls-0:8.1911.0-7.el8_4.2.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsyslog_installed" id="rule-detail-idm45662294660400"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure rsyslog is Installedxccdf_org.ssgproject.content_rule_package_rsyslog_installed mediumCCE-80847-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure rsyslog is Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsyslog_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_rsyslog_installed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80847-7">CCE-80847-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.2.1.1</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-030670</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230477r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">Rsyslog is installed by default. The <code>rsyslog</code> package can be installed with the following command: <pre> $ sudo yum install rsyslog</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The rsyslog package provides the rsyslog daemon, which provides system logging services.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsyslog is installed</span>Â <span class="label label-default">oval:ssg-test_package_rsyslog_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>rsyslog</td><td>x86_64</td><td>(none)</td><td>7.el8_4.2</td><td>8.1911.0</td><td>0:8.1911.0-7.el8_4.2</td><td>199e2f91fd431d51</td><td>rsyslog-0:8.1911.0-7.el8_4.2.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="rule-detail-idm45662294656400"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable rsyslog Servicexccdf_org.ssgproject.content_rule_service_rsyslog_enabled mediumCCE-80886-5 </div><div class="panel-heading"><h3 class="panel-title">Enable rsyslog Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_rsyslog_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_rsyslog_enabled:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80886-5">CCE-80886-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.2.1.2</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.2.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010561</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230298r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>rsyslog</code> service provides syslog-style logging by default on Red Hat Enterprise Linux 8. The <code>rsyslog</code> service can be enabled with the following command: <pre>$ sudo systemctl enable rsyslog.service</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>rsyslog</code> service must be running in order to provide logging services, which are essential to system administration.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsyslog is installed</span>Â <span class="label label-default">oval:ssg-test_service_rsyslog_package_rsyslog_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>rsyslog</td><td>x86_64</td><td>(none)</td><td>7.el8_4.2</td><td>8.1911.0</td><td>0:8.1911.0-7.el8_4.2</td><td>199e2f91fd431d51</td><td>rsyslog-0:8.1911.0-7.el8_4.2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Test that the rsyslog service is running</span>Â <span class="label label-default">oval:ssg-test_service_running_rsyslog:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>rsyslog.service</td><td>ActiveState</td><td>active</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â <span class="label label-default">oval:ssg-test_multi_user_wants_rsyslog:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var-tmp.mount</td><td>var.mount</td><td>sysinit.target</td><td>plymouth-read-write.service</td><td>lvm2-monitor.service</td><td>cryptsetup.target</td><td>systemd-hwdb-update.service</td><td>sys-kernel-debug.mount</td><td>local-fs.target</td><td>-.mount</td><td>srv.mount</td><td>opt.mount</td><td>home.mount</td><td>var-log.mount</td><td>tmp.mount</td><td>var-log-audit.mount</td><td>usr.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>ostree-remount.service</td><td>lvm2-lvmpolld.socket</td><td>systemd-journal-flush.service</td><td>nis-domainname.service</td><td>iscsi-onboot.service</td><td>ldconfig.service</td><td>systemd-udevd.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-utmp.service</td><td>systemd-random-seed.service</td><td>plymouth-start.service</td><td>dev-mqueue.mount</td><td>systemd-tmpfiles-setup.service</td><td>systemd-update-done.service</td><td>systemd-sysctl.service</td><td>systemd-modules-load.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-binfmt.service</td><td>selinux-autorelabel-mark.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>dev-hugepages.mount</td><td>systemd-udev-trigger.service</td><td>systemd-machine-id-commit.service</td><td>systemd-sysusers.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>sys-kernel-config.mount</td><td>loadmodules.service</td><td>swap.target</td><td>dev-mapper-rhel\x2dswap.swap</td><td>kmod-static-nodes.service</td><td>multipathd.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-journald.service</td><td>dracut-shutdown.service</td><td>paths.target</td><td>timers.target</td><td>dnf-makecache.timer</td><td>dnf-automatic.timer</td><td>mlocate-updatedb.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-journald.socket</td><td>avahi-daemon.socket</td><td>systemd-journald-dev-log.socket</td><td>dm-event.socket</td><td>libvirtd-ro.socket</td><td>dbus.socket</td><td>libvirtd.socket</td><td>virtlogd.socket</td><td>virtlockd.socket</td><td>systemd-coredump.socket</td><td>iscsiuio.socket</td><td>systemd-udevd-kernel.socket</td><td>multipathd.socket</td><td>systemd-initctl.socket</td><td>iscsid.socket</td><td>cups.socket</td><td>systemd-udevd-control.socket</td><td>rpcbind.socket</td><td>sssd-kcm.socket</td><td>microcode.service</td><td>mdmonitor.service</td><td>smartd.service</td><td>sssd.service</td><td>plymouth-quit-wait.service</td><td>auditd.service</td><td>nfs-client.target</td><td>auth-rpcgss-module.service</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>getty@tty1.service</td><td>vdo.service</td><td>plymouth-quit.service</td><td>mcelog.service</td><td>systemd-ask-password-wall.path</td><td>ksm.service</td><td>tuned.service</td><td>rpcbind.service</td><td>rsyslog.service</td><td>ModemManager.service</td><td>chronyd.service</td><td>systemd-logind.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>NetworkManager.service</td><td>libstoragemgmt.service</td><td>vmtoolsd.service</td><td>sshd.service</td><td>ksmtuned.service</td><td>firewalld.service</td><td>irqbalance.service</td><td>cups.service</td><td>systemd-user-sessions.service</td><td>rhsmcertd.service</td><td>avahi-daemon.service</td><td>dbus.service</td><td>kdump.service</td><td>libvirtd.service</td><td>cups.path</td><td>remote-fs.target</td><td>iscsi.service</td><td>var-lib-machines.mount</td><td>atd.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â <span class="label label-default">oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var-tmp.mount</td><td>var.mount</td><td>sysinit.target</td><td>plymouth-read-write.service</td><td>lvm2-monitor.service</td><td>cryptsetup.target</td><td>systemd-hwdb-update.service</td><td>sys-kernel-debug.mount</td><td>local-fs.target</td><td>-.mount</td><td>srv.mount</td><td>opt.mount</td><td>home.mount</td><td>var-log.mount</td><td>tmp.mount</td><td>var-log-audit.mount</td><td>usr.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>ostree-remount.service</td><td>lvm2-lvmpolld.socket</td><td>systemd-journal-flush.service</td><td>nis-domainname.service</td><td>iscsi-onboot.service</td><td>ldconfig.service</td><td>systemd-udevd.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-utmp.service</td><td>systemd-random-seed.service</td><td>plymouth-start.service</td><td>dev-mqueue.mount</td><td>systemd-tmpfiles-setup.service</td><td>systemd-update-done.service</td><td>systemd-sysctl.service</td><td>systemd-modules-load.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-binfmt.service</td><td>selinux-autorelabel-mark.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>dev-hugepages.mount</td><td>systemd-udev-trigger.service</td><td>systemd-machine-id-commit.service</td><td>systemd-sysusers.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>sys-kernel-config.mount</td><td>loadmodules.service</td><td>swap.target</td><td>dev-mapper-rhel\x2dswap.swap</td><td>kmod-static-nodes.service</td><td>multipathd.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-journald.service</td><td>dracut-shutdown.service</td><td>paths.target</td><td>timers.target</td><td>dnf-makecache.timer</td><td>dnf-automatic.timer</td><td>mlocate-updatedb.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-journald.socket</td><td>avahi-daemon.socket</td><td>systemd-journald-dev-log.socket</td><td>dm-event.socket</td><td>libvirtd-ro.socket</td><td>dbus.socket</td><td>libvirtd.socket</td><td>virtlogd.socket</td><td>virtlockd.socket</td><td>systemd-coredump.socket</td><td>iscsiuio.socket</td><td>systemd-udevd-kernel.socket</td><td>multipathd.socket</td><td>systemd-initctl.socket</td><td>iscsid.socket</td><td>cups.socket</td><td>systemd-udevd-control.socket</td><td>rpcbind.socket</td><td>sssd-kcm.socket</td><td>microcode.service</td><td>mdmonitor.service</td><td>smartd.service</td><td>sssd.service</td><td>plymouth-quit-wait.service</td><td>auditd.service</td><td>nfs-client.target</td><td>auth-rpcgss-module.service</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>getty@tty1.service</td><td>vdo.service</td><td>plymouth-quit.service</td><td>mcelog.service</td><td>systemd-ask-password-wall.path</td><td>ksm.service</td><td>tuned.service</td><td>rpcbind.service</td><td>rsyslog.service</td><td>ModemManager.service</td><td>chronyd.service</td><td>systemd-logind.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>NetworkManager.service</td><td>libstoragemgmt.service</td><td>vmtoolsd.service</td><td>sshd.service</td><td>ksmtuned.service</td><td>firewalld.service</td><td>irqbalance.service</td><td>cups.service</td><td>systemd-user-sessions.service</td><td>rhsmcertd.service</td><td>avahi-daemon.service</td><td>dbus.service</td><td>kdump.service</td><td>libvirtd.service</td><td>cups.path</td><td>remote-fs.target</td><td>iscsi.service</td><td>var-lib-machines.mount</td><td>atd.service</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow" id="rule-detail-idm45662294556272"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Permissions on gshadow Filexccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow mediumCCE-80811-3 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on gshadow File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_etc_gshadow:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80811-3">CCE-80811-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.5</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a></p></td></tr><tr><td>Description</td><td><div class="description"> To properly set the permissions of <code>/etc/gshadow</code>, run the command: <pre>$ sudo chmod 0000 /etc/gshadow</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/etc/gshadow</code> file contains group password hashes. Protection of this file is critical for system security.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Testing mode of /etc/gshadow</span>Â <span class="label label-default">oval:ssg-test_file_permissions_etc_gshadow:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/etc/gshadow">oval:ssg-object_file_permissions_etc_gshadow:obj:1</abbr></strong> of type <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Filter</th></tr></thead><tbody><tr><td>/etc/gshadow</td><td>oval:ssg-state_file_permissions_etc_gshadow_mode_not_0000:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_group" id="rule-detail-idm45662294549568"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Permissions on group Filexccdf_org.ssgproject.content_rule_file_permissions_etc_group mediumCCE-80810-5 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on group File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_etc_group</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_etc_group:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80810-5">CCE-80810-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.4</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a></p></td></tr><tr><td>Description</td><td><div class="description"> To properly set the permissions of <code>/etc/passwd</code>, run the command: <pre>$ sudo chmod 0644 /etc/passwd</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/etc/group</code> file contains information regarding groups that are configured on the system. Protection of this file is important for system security.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Testing mode of /etc/group</span>Â <span class="label label-default">oval:ssg-test_file_permissions_etc_group:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/etc/group">oval:ssg-object_file_permissions_etc_group:obj:1</abbr></strong> of type <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Filter</th></tr></thead><tbody><tr><td>/etc/group</td><td>oval:ssg-state_file_permissions_etc_group_mode_not_0644:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow" id="rule-detail-idm45662294542864"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Permissions on shadow Filexccdf_org.ssgproject.content_rule_file_permissions_etc_shadow mediumCCE-80813-9 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on shadow File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_etc_shadow:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80813-9">CCE-80813-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.3</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a></p></td></tr><tr><td>Description</td><td><div class="description"> To properly set the permissions of <code>/etc/shadow</code>, run the command: <pre>$ sudo chmod 0000 /etc/shadow</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/etc/shadow</code> file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Testing mode of /etc/shadow</span>Â <span class="label label-default">oval:ssg-test_file_permissions_etc_shadow:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/etc/shadow">oval:ssg-object_file_permissions_etc_shadow:obj:1</abbr></strong> of type <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Filter</th></tr></thead><tbody><tr><td>/etc/shadow</td><td>oval:ssg-state_file_permissions_etc_shadow_mode_not_0000:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow" id="rule-detail-idm45662294536160"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify User Who Owns gshadow Filexccdf_org.ssgproject.content_rule_file_owner_etc_gshadow mediumCCE-80802-2 </div><div class="panel-heading"><h3 class="panel-title">Verify User Who Owns gshadow File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_owner_etc_gshadow:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80802-2">CCE-80802-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.5</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a></p></td></tr><tr><td>Description</td><td><div class="description"> To properly set the owner of <code>/etc/gshadow</code>, run the command: <pre>$ sudo chown root /etc/gshadow </pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/etc/gshadow</code> file contains group password hashes. Protection of this file is critical for system security.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Testing user ownership of /etc/gshadow</span>Â <span class="label label-default">oval:ssg-test_file_owner_etc_gshadow:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/etc/gshadow</td><td>regular</td><td>0</td><td>0</td><td>771</td><td><code>---------Â </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_owner_etc_shadow" id="rule-detail-idm45662294513248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify User Who Owns shadow Filexccdf_org.ssgproject.content_rule_file_owner_etc_shadow mediumCCE-80804-8 </div><div class="panel-heading"><h3 class="panel-title">Verify User Who Owns shadow File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_owner_etc_shadow</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_owner_etc_shadow:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80804-8">CCE-80804-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.3</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a></p></td></tr><tr><td>Description</td><td><div class="description"> To properly set the owner of <code>/etc/shadow</code>, run the command: <pre>$ sudo chown root /etc/shadow </pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/etc/shadow</code> file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Testing user ownership of /etc/shadow</span>Â <span class="label label-default">oval:ssg-test_file_owner_etc_shadow:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/etc/shadow</td><td>regular</td><td>0</td><td>0</td><td>1309</td><td><code>---------Â </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd" id="rule-detail-idm45662294498464"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Permissions on passwd Filexccdf_org.ssgproject.content_rule_file_permissions_etc_passwd mediumCCE-80812-1 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on passwd File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_etc_passwd:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80812-1">CCE-80812-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.2</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a></p></td></tr><tr><td>Description</td><td><div class="description"> To properly set the permissions of <code>/etc/passwd</code>, run the command: <pre>$ sudo chmod 0644 /etc/passwd</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">If the <code>/etc/passwd</code> file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Testing mode of /etc/passwd</span>Â <span class="label label-default">oval:ssg-test_file_permissions_etc_passwd:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/etc/passwd">oval:ssg-object_file_permissions_etc_passwd:obj:1</abbr></strong> of type <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Filter</th></tr></thead><tbody><tr><td>/etc/passwd</td><td>oval:ssg-state_file_permissions_etc_passwd_mode_not_0644:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks" id="rule-detail-idm45662294604656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Enforce DAC on Symlinksxccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks mediumCCE-81030-9 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Enforce DAC on Symlinks</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_fs_protected_symlinks:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:02:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81030-9">CCE-81030-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002165</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010373</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230267r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>fs.protected_symlinks</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protected_symlinks=1</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>fs.protected_symlinks = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">By enabling this kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of <code>open()</code> or <code>creat()</code>.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">fs.protected_symlinks static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_fs_protected_symlinks:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_fs_protected_symlinks:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_fs_protected_symlinks:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_fs_protected_symlinks:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_fs_protected_symlinks:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_fs_protected_symlinks:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_fs_protected_symlinks:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d/50-default.conf</td><td>fs.protected_symlinks = 1 </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter fs.protected_symlinks set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_fs_protected_symlinks:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>fs.protected_symlinks</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned" id="rule-detail-idm45662294595248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure All World-Writable Directories Are Owned by root userxccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned mediumCCE-83375-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure All World-Writable Directories Are Owned by root user</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-dir_perms_world_writable_root_owned:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:03:27+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83375-6">CCE-83375-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R40)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010700</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230318r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">All directories in local partitions which are world-writable should be owned by root. If any world-writable directories are not owned by root, this should be investigated. Following this, the files should be deleted or assigned to root user.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45662614409376" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm45662614409376"><pre><code>#!/bin/bash find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -not -fstype fuse.sshfs -type d -perm -0002 -uid +0 -exec chown root {} \; </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45662614407984" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm45662614407984"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Configure excluded (non local) file systems set_fact: excluded_fstypes: - afs - ceph - cifs - smb3 - smbfs - sshfs - ncpfs - ncp - nfs - nfs4 - gfs - gfs2 - glusterfs - gpfs - pvfs2 - ocfs2 - lustre - davfs - fuse.sshfs tags: - CCE-83375-6 - DISA-STIG-RHEL-08-010700 - dir_perms_world_writable_root_owned - low_complexity - medium_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Create empty list of excluded paths set_fact: excluded_paths: [] tags: - CCE-83375-6 - DISA-STIG-RHEL-08-010700 - dir_perms_world_writable_root_owned - low_complexity - medium_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Detect nonlocal file systems and add them to excluded paths set_fact: excluded_paths: '{{ excluded_paths | union([item.mount]) }}' loop: '{{ ansible_mounts }}' when: item.fstype in excluded_fstypes tags: - CCE-83375-6 - DISA-STIG-RHEL-08-010700 - dir_perms_world_writable_root_owned - low_complexity - medium_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Find all directories excluding non-local partitions find: paths: / excludes: excluded_paths file_type: directory hidden: true recurse: true register: found_dirs tags: - CCE-83375-6 - DISA-STIG-RHEL-08-010700 - dir_perms_world_writable_root_owned - low_complexity - medium_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Create list of world writable directories set_fact: world_writable_dirs: '{{ found_dirs.files | selectattr(''woth'') | list }}' tags: - CCE-83375-6 - DISA-STIG-RHEL-08-010700 - dir_perms_world_writable_root_owned - low_complexity - medium_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Change owner to root on directories which are world writable file: path: '{{ item.path }}' owner: root loop: '{{ world_writable_dirs }}' ignore_errors: true tags: - CCE-83375-6 - DISA-STIG-RHEL-08-010700 - dir_perms_world_writable_root_owned - low_complexity - medium_disruption - medium_severity - no_reboot_needed - restrict_strategy </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check for local directories that are world writable and have uid greater than 0</span>Â <span class="label label-default">oval:ssg-test_dir_world_writable_uid_gt_zero:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/tmp/tmp-inst/system_u:object_r:tmp_t:s0-s0:c0.c1023_test/.ICE-unix/</td><td>directory</td><td>1000</td><td>1000</td><td>18</td><td><code>rwxrwxrwxt</code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks" id="rule-detail-idm45662294591248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Enforce DAC on Hardlinksxccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks mediumCCE-81027-5 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Enforce DAC on Hardlinks</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_fs_protected_hardlinks:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:03:27+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81027-5">CCE-81027-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002165</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010374</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230268r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>fs.protected_hardlinks</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protected_hardlinks=1</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>fs.protected_hardlinks = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">By enabling this kernel parameter, users can no longer create soft or hard links to files which they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of <code>open()</code> or <code>creat()</code>.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">fs.protected_hardlinks static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_fs_protected_hardlinks:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_fs_protected_hardlinks:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_fs_protected_hardlinks:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_fs_protected_hardlinks:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_fs_protected_hardlinks:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_fs_protected_hardlinks:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_fs_protected_hardlinks:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d/50-default.conf</td><td>fs.protected_hardlinks = 1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter fs.protected_hardlinks set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_fs_protected_hardlinks:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>fs.protected_hardlinks</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid" id="rule-detail-idm45662294587248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure All SGID Executables Are Authorizedxccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid mediumCCE-80816-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure All SGID Executables Are Authorized</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_unauthorized_sgid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:04:43+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80816-2">CCE-80816-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R37)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R38)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.14</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a></p></td></tr><tr><td>Description</td><td><div class="description">The SGID (set group id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SGID files. This configuration check considers authorized SGID files which were installed via RPM. It is assumed that when an individual has sudo access to install an RPM and all packages are signed with an organizationally-recognized GPG key, the software should be considered an approved package on the system. Any SGID file not deployed through an RPM will be flagged for further review.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Executable files with the SGID permission run with the privileges of the owner of the file. SGID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">sgid files outside system RPMs</span>Â <span class="label label-default">oval:ssg-test_file_permissions_unauthorized_sgid:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="files with sgid set which are not owned by any RPM package">oval:ssg-obj_file_permissions_unauthorized_sgid_unowned:obj:1</abbr></strong> of type <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/</td><td>^.*$</td><td>oval:ssg-state_file_permissions_unauthorized_sgid_sgid_set:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_sgid_filepaths:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid" id="rule-detail-idm45662294583248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure All SUID Executables Are Authorizedxccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid mediumCCE-80817-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure All SUID Executables Are Authorized</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_unauthorized_suid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:12+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80817-0">CCE-80817-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R37)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R38)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.13</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a></p></td></tr><tr><td>Description</td><td><div class="description">The SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SUID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SUID files. This configuration check considers authorized SUID files which were installed via RPM. It is assumed that when an individual has sudo access to install an RPM and all packages are signed with an organizationally-recognized GPG key, the software should be considered an approved package on the system. Any SUID file not deployed through an RPM will be flagged for further review.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Executable files with the SUID permission run with the privileges of the owner of the file. SUID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">suid files outside system RPMs</span>Â <span class="label label-default">oval:ssg-test_file_permissions_unauthorized_suid:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="files with suid set which are not owned by any RPM package">oval:ssg-obj_file_permissions_unauthorized_suid_unowned:obj:1</abbr></strong> of type <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/</td><td>^.*$</td><td>oval:ssg-state_file_permissions_unauthorized_suid_suid_set:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_suid_filepaths:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" id="rule-detail-idm45662294579248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify that All World-Writable Directories Have Sticky Bits Setxccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits mediumCCE-80783-4 </div><div class="panel-heading"><h3 class="panel-title">Verify that All World-Writable Directories Have Sticky Bits Set</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-dir_perms_world_writable_sticky_bits:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:14+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80783-4">CCE-80783-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R40)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.21</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001090</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000138-GPOS-00069</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010190</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230243r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes. <br> To set the sticky bit on a world-writable directory <i>DIR</i>, run the following command: <pre>$ sudo chmod +t <i>DIR</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. <br><br> The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as <code>/tmp</code>), and for directories requiring global read/write access.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">all local world-writable directories have sticky bit set</span>Â <span class="label label-default">oval:ssg-test_dir_perms_world_writable_sticky_bits:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="only local directories">oval:ssg-object_only_local_directories:obj:1</abbr></strong> of type <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/</td><td>no value</td><td>oval:ssg-state_world_writable_and_not_sticky:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" id="rule-detail-idm45662294575248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure No World-Writable Files Existxccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable mediumCCE-80818-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure No World-Writable Files Exist</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_unauthorized_world_writable:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:30+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80818-8">CCE-80818-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R40)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.10</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a></p></td></tr><tr><td>Description</td><td><div class="description">It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account. Finally, this applies to real files and not virtual files that are a part of pseudo file systems such as <code>sysfs</code> or <code>procfs</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">world writable files</span>Â <span class="label label-default">oval:ssg-test_file_permissions_unauthorized_world_write:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="world writable">oval:ssg-object_file_permissions_unauthorized_world_write:obj:1</abbr></strong> of type <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/</td><td>^.*$</td><td>oval:ssg-state_file_permissions_unauthorized_world_write:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_world_write_exclude_special_selinux_files:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_world_write_exclude_proc:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_world_write_exclude_sys:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_nosuid" id="rule-detail-idm45662294432064"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /varxccdf_org.ssgproject.content_rule_mount_option_var_nosuid unknownCCE-83383-0 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /var</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_nosuid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:31+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83383-0">CCE-83383-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/var</code>. The SUID and SGID permissions should not be required for this directory. Add the <code>nosuid</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/var</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of SUID and SGID executables should be tightly controlled.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /var</span>Â <span class="label label-default">oval:ssg-test_var_partition_nosuid:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var</td><td>/dev/mapper/rhel-var</td><td>3b9bf26c-12ea-4f64-abc1-3fac0b5d2263</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">783872</td><td role="num">64665</td><td role="num">719207</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec" id="rule-detail-idm45662294425376"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add noexec Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec mediumCCE-82151-2 </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /var/tmp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_tmp_noexec:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:31+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82151-2">CCE-82151-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040134</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230522r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/var/tmp</code>. Add the <code>noexec</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/var/tmp</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Allowing users to execute binaries from world-writable directories such as <code>/var/tmp</code> should never be necessary in normal operation and can expose the system to potential compromise.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec on /var/tmp</span>Â <span class="label label-default">oval:ssg-test_var_tmp_partition_noexec:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/tmp</td><td>/dev/mapper/rhel-var_tmp</td><td>5cdb94cd-dc68-4f07-aca4-c8f069f590f1</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10098</td><td role="num">249486</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_home_noexec" id="rule-detail-idm45662294413248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add noexec Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_noexec mediumCCE-83328-5 </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /home</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_home_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_home_noexec:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:32+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83328-5">CCE-83328-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/home</code>. Add the <code>noexec</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/home</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/home</code> directory contains data of individual users. Binaries in this directory should not be considered as trusted and users should not be able to execute them.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec on /home</span>Â <span class="label label-default">oval:ssg-test_home_partition_noexec:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/home</td><td>/dev/mapper/rhel-home</td><td>249c85b7-b274-4df5-8ef4-8790ff211f6a</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">13527</td><td role="num">246057</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_noexec" id="rule-detail-idm45662294406560"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add noexec Option to /varxccdf_org.ssgproject.content_rule_mount_option_var_noexec mediumCCE-83330-1 </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /var</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_noexec:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:32+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83330-1">CCE-83330-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/var</code>. Add the <code>noexec</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/var</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/var</code> directory contains variable system data such as logs, mails and caches. No binaries should be executed from this directory.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec on /var</span>Â <span class="label label-default">oval:ssg-test_var_partition_noexec:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var</td><td>/dev/mapper/rhel-var</td><td>3b9bf26c-12ea-4f64-abc1-3fac0b5d2263</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">783872</td><td role="num">64660</td><td role="num">719212</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_boot_noexec" id="rule-detail-idm45662294399872"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add noexec Option to /bootxccdf_org.ssgproject.content_rule_mount_option_boot_noexec mediumCCE-83316-0 </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /boot</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_boot_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_boot_noexec:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:32+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83316-0">CCE-83316-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/boot</code>. Add the <code>noexec</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/boot</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>/boot</code> partition contains the kernel and the bootloader. No binaries should be executed from this partition after the booting process finishes.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec on /boot</span>Â <span class="label label-default">oval:ssg-test_boot_partition_noexec:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/boot</td><td>/dev/vda1</td><td>9bdb2e77-09b5-4440-bb45-2979a88c80fd</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">129704</td><td role="num">59981</td><td role="num">69723</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid" id="rule-detail-idm45662294387776"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid mediumCCE-82065-4 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /var/log</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_log_nosuid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:32+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82065-4">CCE-82065-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040127</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230515r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/var/log</code>. The SUID and SGID permissions should not be required in directories containing log files. Add the <code>nosuid</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/var/log</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for log files.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /var/log</span>Â <span class="label label-default">oval:ssg-test_var_log_partition_nosuid:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/log</td><td>/dev/mapper/rhel-var_log</td><td>54ebd97a-fc48-4ff8-9e66-637df9cbc902</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">12678</td><td role="num">246906</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid" id="rule-detail-idm45662294379008"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /optxccdf_org.ssgproject.content_rule_mount_option_opt_nosuid mediumCCE-83319-4 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /opt</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_opt_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_opt_nosuid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83319-4">CCE-83319-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/opt</code>. The SUID and SGID permissions should not be required in this directory. Add the <code>nosuid</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/opt</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of SUID and SGID executables should be tightly controlled. The <code>/opt</code> directory contains additional software packages. Users should not be able to execute SUID or SGID binaries from this directory.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /opt</span>Â <span class="label label-default">oval:ssg-test_opt_partition_nosuid:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/opt</td><td>/dev/mapper/rhel-opt</td><td>77ae06e9-6dd5-4e0a-b037-f3613a9d7b52</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10073</td><td role="num">249511</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid" id="rule-detail-idm45662294369600"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /bootxccdf_org.ssgproject.content_rule_mount_option_boot_nosuid mediumCCE-81033-3 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /boot</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_boot_nosuid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81033-3">CCE-81033-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010571</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230300r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/boot</code>. The SUID and SGID permissions should not be required on the boot partition. Add the <code>nosuid</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/boot</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from boot partitions.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /boot</span>Â <span class="label label-default">oval:ssg-test_boot_partition_nosuid:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/boot</td><td>/dev/vda1</td><td>9bdb2e77-09b5-4440-bb45-2979a88c80fd</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">129704</td><td role="num">59981</td><td role="num">69723</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec" id="rule-detail-idm45662294365616"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add noexec Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_noexec mediumCCE-82008-4 </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /var/log</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_log_noexec:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82008-4">CCE-82008-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040128</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230516r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/var/log</code>. Add the <code>noexec</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/var/log</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Allowing users to execute binaries from directories containing log files such as <code>/var/log</code> should never be necessary in normal operation and can expose the system to potential compromise.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec on /var/log</span>Â <span class="label label-default">oval:ssg-test_var_log_partition_noexec:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/log</td><td>/dev/mapper/rhel-var_log</td><td>54ebd97a-fc48-4ff8-9e66-637df9cbc902</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">12678</td><td role="num">246906</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" id="rule-detail-idm45662294358912"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add noexec Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_noexec mediumCCE-82139-7 </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /tmp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_tmp_noexec:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82139-7">CCE-82139-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.5</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040125</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230513r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/tmp</code>. Add the <code>noexec</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/tmp</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Allowing users to execute binaries from world-writable directories such as <code>/tmp</code> should never be necessary in normal operation and can expose the system to potential compromise.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec on /tmp</span>Â <span class="label label-default">oval:ssg-test_tmp_partition_noexec:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/tmp</td><td>/dev/mapper/rhel-tmp</td><td>7046abce-80d6-421c-bff3-99e32bc334a2</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10119</td><td role="num">249465</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" id="rule-detail-idm45662294354928"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid mediumCCE-82140-5 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /tmp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_tmp_nosuid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82140-5">CCE-82140-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.4</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040124</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230512r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/tmp</code>. The SUID and SGID permissions should not be required in these world-writable directories. Add the <code>nosuid</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/tmp</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /tmp</span>Â <span class="label label-default">oval:ssg-test_tmp_partition_nosuid:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/tmp</td><td>/dev/mapper/rhel-tmp</td><td>7046abce-80d6-421c-bff3-99e32bc334a2</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10119</td><td role="num">249465</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid" id="rule-detail-idm45662294350944"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid mediumCCE-82154-6 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /var/tmp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_tmp_nosuid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82154-6">CCE-82154-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.9</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040133</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230521r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/var/tmp</code>. The SUID and SGID permissions should not be required in these world-writable directories. Add the <code>nosuid</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/var/tmp</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /var/tmp</span>Â <span class="label label-default">oval:ssg-test_var_tmp_partition_nosuid:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/tmp</td><td>/dev/mapper/rhel-var_tmp</td><td>5cdb94cd-dc68-4f07-aca4-c8f069f590f1</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10098</td><td role="num">249486</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" id="rule-detail-idm45662294341520"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_nosuid mediumCCE-81050-7 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /home</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_home_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_home_nosuid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:33+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81050-7">CCE-81050-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010570</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230299r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/home</code>. The SUID and SGID permissions should not be required in these user data directories. Add the <code>nosuid</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/home</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /home</span>Â <span class="label label-default">oval:ssg-test_home_partition_nosuid:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/home</td><td>/dev/mapper/rhel-home</td><td>249c85b7-b274-4df5-8ef4-8790ff211f6a</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">13527</td><td role="num">246057</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions" id="rule-detail-idm45662294334832"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nodev Option to Non-Root Local Partitionsxccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions mediumCCE-82069-6 </div><div class="panel-heading"><h3 class="panel-title">Add nodev Option to Non-Root Local Partitions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_nodev_nonroot_local_partitions:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:34+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82069-6">CCE-82069-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010580</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230301r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nodev</code> mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the <code>/dev</code> directory on the root partition or within chroot jails built for system services. Add the <code>nodev</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of any non-root local partitions.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>nodev</code> mount option prevents files from being interpreted as character or block devices. The only legitimate location for device files is the <code>/dev</code> directory located on the root partition. The only exception to this is chroot jails, for which it is not advised to set <code>nodev</code> on these filesystems.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nodev on local filesystems</span>Â <span class="label label-default">oval:ssg-test_nodev_nonroot_local_partitions:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_non_root_partitions:obj:1</abbr></strong> of type <strong>partition_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Filter</th></tr></thead><tbody><tr><td>^/\w.*$</td><td>oval:ssg-state_local_nodev:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid" id="rule-detail-idm45662294330800"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /srvxccdf_org.ssgproject.content_rule_mount_option_srv_nosuid mediumCCE-83322-8 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /srv</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_srv_nosuid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:34+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83322-8">CCE-83322-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/srv</code>. The SUID and SGID permissions should not be required in this directory. Add the <code>nosuid</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/srv</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of SUID and SGID executables should be tightly controlled. The <code>/srv</code> directory contains files served by various network services such as FTP. Users should not be able to execute SUID or SGID binaries from this directory.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /srv</span>Â <span class="label label-default">oval:ssg-test_srv_partition_nosuid:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/srv</td><td>/dev/mapper/rhel-srv</td><td>77751d51-5128-44d4-b904-41179eafa70e</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>logbufs=8</td><td>logbsize=32k</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10073</td><td role="num">249511</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions" id="rule-detail-idm45662294277328"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable NX or XD Support in the BIOSxccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions unknownCCE-83918-3 </div><div class="panel-heading"><h3 class="panel-title">Enable NX or XD Support in the BIOS</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83918-3">CCE-83918-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R9)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-39</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a></p></td></tr><tr><td>Description</td><td><div class="description">Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) on AMD-based systems.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will allow users to turn the feature on or off at will.</div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32" id="rule-detail-idm45662294273984"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install PAE Kernel on Supported 32-bit x86 Systemsxccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32 unknownCCE-83919-1 </div><div class="panel-heading"><h3 class="panel-title">Install PAE Kernel on Supported 32-bit x86 Systems</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-install_PAE_kernel_on_x86-32:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83919-1">CCE-83919-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R9)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a></p></td></tr><tr><td>Description</td><td><div class="description">Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package should be installed to enable XD or NX support. The <code>kernel-PAE</code> package can be installed with the following command: <pre> $ sudo yum install kernel-PAE</pre> The installation process should also have configured the bootloader to load the new kernel at boot. Verify this after reboot and modify <code>/etc/default/grub</code> if necessary.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">On 32-bit systems that support the XD or NX bit, the vendor-supplied PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â The kernel-PAE package should not be installed on older systems that do not support the XD or NX bit, as 8this may prevent them from booting.8</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">32 bit architecture</span>Â <span class="label label-default">oval:ssg-test_system_info_architecture_x86:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>localhost.localdomain</td><td>Linux</td><td>4.18.0-314.el8.x86_64</td><td>#1 SMP Tue Jun 15 11:28:48 EDT 2021</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">CPUs support PAE kernel or NX bit</span>Â <span class="label label-default">oval:ssg-test_PAE_NX_cpu_support:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/proc/cpuinfo</td><td>flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq vmx ssse3 fma cx16 pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves arat umip md_clear arch_capabilities</td></tr></tbody></table><h4><span class="label label-primary">32 bit architecture</span>Â <span class="label label-default">oval:ssg-test_system_info_architecture_x86:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>localhost.localdomain</td><td>Linux</td><td>4.18.0-314.el8.x86_64</td><td>#1 SMP Tue Jun 15 11:28:48 EDT 2021</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">Package kernel-PAE is installed</span>Â <span class="label label-default">oval:ssg-test_package_kernel-PAE_installed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_package_kernel-PAE_installed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>kernel-PAE</td></tr></tbody></table><h4><span class="label label-primary">check for DEFAULTKERNEL set to kernel-PAE in /etc/sysconfig/kernel</span>Â <span class="label label-default">oval:ssg-test_defaultkernel_sysconfig_kernel:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_defaultkernel_sysconfig_kernel:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysconfig/kernel</td><td>^\s*DEFAULTKERNEL[\s]*=[\s]*kernel-PAE$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" id="rule-detail-idm45662294269984"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Randomized Layout of Virtual Address Spacexccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space mediumCCE-80916-0 </div><div class="panel-heading"><h3 class="panel-title">Enable Randomized Layout of Virtual Address Space</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_randomize_va_space:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80916-0">CCE-80916-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.6.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002824</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000433-GPOS-00193</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010430</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230280r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.randomize_va_space=2</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.randomize_va_space = 2</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.randomize_va_space static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_kernel_randomize_va_space:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>kernel.randomize_va_space = 2 </td></tr></tbody></table><h4><span class="label label-primary">kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_randomize_va_space:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>kernel.randomize_va_space = 2 </td></tr></tbody></table><h4><span class="label label-primary">kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_randomize_va_space:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_randomize_va_space:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_randomize_va_space:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_randomize_va_space:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.randomize_va_space set to 2</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_randomize_va_space:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.randomize_va_space</td><td>2</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" id="rule-detail-idm45662294265984"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Restrict Exposed Kernel Pointer Addresses Accessxccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict mediumCCE-80915-2 </div><div class="panel-heading"><h3 class="panel-title">Restrict Exposed Kernel Pointer Addresses Access</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_kptr_restrict:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80915-2">CCE-80915-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000433-GPOS-00192</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040283</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230547r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_restrict=1</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.kptr_restrict = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Exposing kernel pointers (through procfs or <code>seq_printf()</code>) exposes kernel writeable structures that can contain functions pointers. If a write vulnereability occurs in the kernel allowing a write access to any of this structure, the kernel can be compromise. This option disallow any program withtout the CAP_SYSLOG capability from getting the kernel pointers addresses, replacing them with 0.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.kptr_restrict static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_kernel_kptr_restrict:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_kernel_kptr_restrict:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_kptr_restrict:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_kernel_kptr_restrict:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_kptr_restrict:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_kptr_restrict:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_kptr_restrict:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d/50-default.conf</td><td>kernel.kptr_restrict = 1 </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.kptr_restrict set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_kptr_restrict:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.kptr_restrict</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" id="rule-detail-idm45662294261984"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable ExecShield via sysctlxccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield mediumCCE-80914-5 </div><div class="panel-heading"><h3 class="panel-title">Enable ExecShield via sysctl</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_exec_shield:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80914-5">CCE-80914-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R9)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002530</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-39</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000433-GPOS-00192</a></p></td></tr><tr><td>Description</td><td><div class="description">By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disabled in <code>/etc/default/grub</code>. For Red Hat Enterprise Linux 7 32-bit systems, <code>sysctl</code> can be used to enable ExecShield.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">32 bit architecture</span>Â <span class="label label-default">oval:ssg-test_system_info_architecture_x86:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>localhost.localdomain</td><td>Linux</td><td>4.18.0-314.el8.x86_64</td><td>#1 SMP Tue Jun 15 11:28:48 EDT 2021</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.exec-shield set to 1</span>Â <span class="label label-default">oval:ssg-test_runtime_sysctl_kernel_exec_shield:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sysctl_kernel_exec_shield:obj:1</abbr></strong> of type <strong>sysctl_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>kernel.exec-shield</td></tr></tbody></table><h4><span class="label label-primary">kernel.exec-shield static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_kernel_exec_shield:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_kernel_exec_shield:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.exec-shield[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>localhost.localdomain</td><td>Linux</td><td>4.18.0-314.el8.x86_64</td><td>#1 SMP Tue Jun 15 11:28:48 EDT 2021</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>localhost.localdomain</td><td>Linux</td><td>4.18.0-314.el8.x86_64</td><td>#1 SMP Tue Jun 15 11:28:48 EDT 2021</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>localhost.localdomain</td><td>Linux</td><td>4.18.0-314.el8.x86_64</td><td>#1 SMP Tue Jun 15 11:28:48 EDT 2021</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>localhost.localdomain</td><td>Linux</td><td>4.18.0-314.el8.x86_64</td><td>#1 SMP Tue Jun 15 11:28:48 EDT 2021</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>localhost.localdomain</td><td>Linux</td><td>4.18.0-314.el8.x86_64</td><td>#1 SMP Tue Jun 15 11:28:48 EDT 2021</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>localhost.localdomain</td><td>Linux</td><td>4.18.0-314.el8.x86_64</td><td>#1 SMP Tue Jun 15 11:28:48 EDT 2021</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">NX is disabled</span>Â <span class="label label-default">oval:ssg-test_nx_disabled_grub:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_nx_disabled_grub:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/boot/grub2/grub.cfg</td><td>[\s]*noexec[\s]*=[\s]*off</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable" id="rule-detail-idm45662294245120"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Core Dumps for SUID programsxccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable mediumCCE-80912-9 </div><div class="panel-heading"><h3 class="panel-title">Disable Core Dumps for SUID programs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_fs_suid_dumpable:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80912-9">CCE-80912-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.6.1</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11(b)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>fs.suid_dumpable</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.suid_dumpable=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>fs.suid_dumpable = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">fs.suid_dumpable static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_fs_suid_dumpable:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>fs.suid_dumpable = 0 </td></tr></tbody></table><h4><span class="label label-primary">fs.suid_dumpable static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_fs_suid_dumpable:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>fs.suid_dumpable = 0 </td></tr></tbody></table><h4><span class="label label-primary">fs.suid_dumpable static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_fs_suid_dumpable:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_fs_suid_dumpable:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.suid_dumpable static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_fs_suid_dumpable:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_fs_suid_dumpable:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter fs.suid_dumpable set to 0</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_fs_suid_dumpable:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>fs.suid_dumpable</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_cpu_time_max_percent" id="rule-detail-idm45662294324112"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Limit CPU consumption of the Perf systemxccdf_org.ssgproject.content_rule_sysctl_kernel_perf_cpu_time_max_percent mediumCCE-83373-1 </div><div class="panel-heading"><h3 class="panel-title">Limit CPU consumption of the Perf system</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_cpu_time_max_percent</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_perf_cpu_time_max_percent:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:34+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83373-1">CCE-83373-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.perf_cpu_time_max_percent</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.perf_cpu_time_max_percent=1</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.perf_cpu_time_max_percent = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>kernel.perf_cpu_time_max_percent</code> configures a treshold of maximum percentile of CPU that can be used by Perf system. Restricting usage of <code>Perf</code> system decreases risk of potential availability problems.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.perf_cpu_time_max_percent static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_kernel_perf_cpu_time_max_percent:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>kernel.perf_cpu_time_max_percent = 1 </td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_cpu_time_max_percent static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_perf_cpu_time_max_percent:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>kernel.perf_cpu_time_max_percent = 1 </td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_cpu_time_max_percent static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_perf_cpu_time_max_percent:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_perf_cpu_time_max_percent:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.perf_cpu_time_max_percent[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_cpu_time_max_percent static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_perf_cpu_time_max_percent:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_perf_cpu_time_max_percent:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.perf_cpu_time_max_percent[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.perf_cpu_time_max_percent set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_perf_cpu_time_max_percent:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.perf_cpu_time_max_percent</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_modules_disabled" id="rule-detail-idm45662294320096"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable loading and unloading of kernel modulesxccdf_org.ssgproject.content_rule_sysctl_kernel_modules_disabled mediumCCE-83397-0 </div><div class="panel-heading"><h3 class="panel-title">Disable loading and unloading of kernel modules</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_modules_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_modules_disabled:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:34+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83397-0">CCE-83397-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R24)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.modules_disabled</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.modules_disabled=1</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.modules_disabled = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Malicious kernel modules can have a significant impact on system security and availability. Disabling loading of kernel modules prevents this threat. Note that once this option has been set, it cannot be reverted without doing a system reboot. Make sure that all needed kernel modules are loaded before setting this option.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â This rule doesn't come with Bash remediation. Remediating this rule during the installation process disrupts the install and boot process.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45662610550960" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm45662610550960"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Ensure sysctl kernel.modules_disabled is set to 1 sysctl: name: kernel.modules_disabled value: '1' state: present reload: true when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83397-0 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_kernel_modules_disabled </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.modules_disabled static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_kernel_modules_disabled:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_kernel_modules_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.modules_disabled[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.modules_disabled static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_modules_disabled:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_kernel_modules_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.modules_disabled[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.modules_disabled static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_modules_disabled:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_modules_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.modules_disabled[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.modules_disabled static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_modules_disabled:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_modules_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.modules_disabled[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.modules_disabled set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_modules_disabled:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.modules_disabled</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" id="rule-detail-idm45662294316096"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Restrict Access to Kernel Message Bufferxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict mediumCCE-80913-7 </div><div class="panel-heading"><h3 class="panel-title">Restrict Access to Kernel Message Buffer</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_dmesg_restrict:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:34+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80913-7">CCE-80913-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001314</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11(b)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000138-GPOS-00069</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010375</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230269r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.dmesg_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.dmesg_restrict=1</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.dmesg_restrict = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Unprivileged access to the kernel syslog can expose sensitive kernel address information.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.dmesg_restrict static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_kernel_dmesg_restrict:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>kernel.dmesg_restrict = 1 </td></tr></tbody></table><h4><span class="label label-primary">kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_dmesg_restrict:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>kernel.dmesg_restrict = 1 </td></tr></tbody></table><h4><span class="label label-primary">kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_dmesg_restrict:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_dmesg_restrict:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_dmesg_restrict:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_dmesg_restrict:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.dmesg_restrict set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_dmesg_restrict:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.dmesg_restrict</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_sysrq" id="rule-detail-idm45662294306672"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disallow magic SysRq keyxccdf_org.ssgproject.content_rule_sysctl_kernel_sysrq mediumCCE-83355-8 </div><div class="panel-heading"><h3 class="panel-title">Disallow magic SysRq key</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_sysrq</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_sysrq:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:34+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83355-8">CCE-83355-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.sysrq</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.sysrq=0</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.sysrq = 0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The Magic SysRq key allows sending certain commands directly to the running kernel. It can dump various system and process information, potentially revealing sensitive information. It can also reboot or shutdown the machine, disturbing its availability.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.sysrq static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_kernel_sysrq:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>kernel.sysrq = 0 </td></tr></tbody></table><h4><span class="label label-primary">kernel.sysrq static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_sysrq:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>kernel.sysrq = 0 </td></tr></tbody></table><h4><span class="label label-primary">kernel.sysrq static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_sysrq:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_sysrq:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.sysrq[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.sysrq static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_sysrq:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_sysrq:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.sysrq[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.sysrq set to 0</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_sysrq:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.sysrq</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_pid_max" id="rule-detail-idm45662294302704"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure maximum number of process identifiersxccdf_org.ssgproject.content_rule_sysctl_kernel_pid_max mediumCCE-83366-5 </div><div class="panel-heading"><h3 class="panel-title">Configure maximum number of process identifiers</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_pid_max</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_pid_max:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83366-5">CCE-83366-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.pid_max</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.pid_max=65536</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.pid_max = 65536</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>kernel.pid_max</code> parameter configures upper limit on process identifiers (PID). If this number is not high enough, it might happen that forking of new processes is not possible, because all available PIDs are exhausted. Increasing this number enhances availability.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.pid_max static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_kernel_pid_max:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>kernel.pid_max = 65536 </td></tr></tbody></table><h4><span class="label label-primary">kernel.pid_max static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_pid_max:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>kernel.pid_max = 65536 </td></tr></tbody></table><h4><span class="label label-primary">kernel.pid_max static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_pid_max:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_pid_max:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.pid_max[\s]*=[\s]*65536[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.pid_max static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_pid_max:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_pid_max:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.pid_max[\s]*=[\s]*65536[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.pid_max set to 65536</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_pid_max:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.pid_max</td><td>65536</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" id="rule-detail-idm45662294296032"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Restrict usage of ptrace to descendant processesxccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope mediumCCE-80953-3 </div><div class="panel-heading"><h3 class="panel-title">Restrict usage of ptrace to descendant processes</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_yama_ptrace_scope:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80953-3">CCE-80953-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R25)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040282</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230546r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.yama.ptrace_scope</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.yama.ptrace_scope=1</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.yama.ptrace_scope = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH sessions, web browser, ...) without any additional assistance from the user (i.e. without resorting to phishing). </div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_kernel_yama_ptrace_scope:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>kernel.yama.ptrace_scope = 1 </td></tr></tbody></table><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_yama_ptrace_scope:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>kernel.yama.ptrace_scope = 1 </td></tr></tbody></table><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_yama_ptrace_scope:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_yama_ptrace_scope:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_yama_ptrace_scope:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_yama_ptrace_scope:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.yama.ptrace_scope set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_yama_ptrace_scope:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.yama.ptrace_scope</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_max_sample_rate" id="rule-detail-idm45662294289328"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Limit sampling frequency of the Perf systemxccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_max_sample_rate mediumCCE-83368-1 </div><div class="panel-heading"><h3 class="panel-title">Limit sampling frequency of the Perf system</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_max_sample_rate</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_perf_event_max_sample_rate:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83368-1">CCE-83368-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.perf_event_max_sample_rate</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.perf_event_max_sample_rate=1</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.perf_event_max_sample_rate = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>kernel.perf_event_max_sample_rate</code> parameter configures maximum frequency of collecting of samples for the Perf system. It is expressed in samples per second. Restricting usage of <code>Perf</code> system decreases risk of potential availability problems.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.perf_event_max_sample_rate static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_kernel_perf_event_max_sample_rate:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>kernel.perf_event_max_sample_rate = 1 </td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_event_max_sample_rate static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_perf_event_max_sample_rate:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>kernel.perf_event_max_sample_rate = 1 </td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_event_max_sample_rate static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_perf_event_max_sample_rate:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_perf_event_max_sample_rate:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.perf_event_max_sample_rate[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_event_max_sample_rate static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_perf_event_max_sample_rate:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_perf_event_max_sample_rate:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.perf_event_max_sample_rate[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.perf_event_max_sample_rate set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_perf_event_max_sample_rate:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.perf_event_max_sample_rate</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid" id="rule-detail-idm45662294285312"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disallow kernel profiling by unprivileged usersxccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid mediumCCE-81054-9 </div><div class="panel-heading"><h3 class="panel-title">Disallow kernel profiling by unprivileged users</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_perf_event_paranoid:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81054-9">CCE-81054-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001090</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000138-GPOS-00069</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010376</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230270r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.perf_event_paranoid</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.perf_event_paranoid=2</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.perf_event_paranoid = 2</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Kernel profiling can reveal sensitive information about kernel behaviour.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.perf_event_paranoid static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_kernel_perf_event_paranoid:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>kernel.perf_event_paranoid = 2 </td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_perf_event_paranoid:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>kernel.perf_event_paranoid = 2 </td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_perf_event_paranoid:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_perf_event_paranoid:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_perf_event_paranoid:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_perf_event_paranoid:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.perf_event_paranoid set to 2</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_perf_event_paranoid:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.perf_event_paranoid</td><td>2</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_vm_mmap_min_addr" id="rule-detail-idm45662294281312"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Prevent applications from mapping low portion of virtual memoryxccdf_org.ssgproject.content_rule_sysctl_vm_mmap_min_addr mediumCCE-83363-2 </div><div class="panel-heading"><h3 class="panel-title">Prevent applications from mapping low portion of virtual memory</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_vm_mmap_min_addr</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_vm_mmap_min_addr:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83363-2">CCE-83363-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>vm.mmap_min_addr</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w vm.mmap_min_addr=65536</pre> To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>vm.mmap_min_addr = 65536</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>vm.mmap_min_addr</code> parameter specifies the minimum virtual address that a process is allowed to mmap. Allowing a process to mmap low portion of virtual memory can have security implications such as such as heightened risk of kernel null pointer dereference defects.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">vm.mmap_min_addr static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_vm_mmap_min_addr:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>vm.mmap_min_addr = 65536 </td></tr></tbody></table><h4><span class="label label-primary">vm.mmap_min_addr static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_vm_mmap_min_addr:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sysctl.d/99-sysctl.conf</td><td>vm.mmap_min_addr = 65536 </td></tr></tbody></table><h4><span class="label label-primary">vm.mmap_min_addr static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_vm_mmap_min_addr:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_vm_mmap_min_addr:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*vm.mmap_min_addr[\s]*=[\s]*65536[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">vm.mmap_min_addr static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_vm_mmap_min_addr:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_vm_mmap_min_addr:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*vm.mmap_min_addr[\s]*=[\s]*65536[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter vm.mmap_min_addr set to 65536</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_vm_mmap_min_addr:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>vm.mmap_min_addr</td><td>65536</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_password" id="rule-detail-idm45662294213488"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Boot Loader Password in grub2xccdf_org.ssgproject.content_rule_grub2_password highCCE-80828-7 </div><div class="panel-heading"><h3 class="panel-title">Set Boot Loader Password in grub2</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_password</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-grub2_password:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80828-7">CCE-80828-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R17)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.5.2</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000213</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000080-GPOS-00048</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010150</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230235r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> Since plaintext passwords are a security risk, generate a hash for the password by running the following command: <pre>$ grub2-setpassword</pre> When prompted, enter the password that was selected. <br><br> <br><br> Once the superuser password has been added, update the <code>grub.cfg</code> file by running: <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. Also, do NOT manually add the superuser account and password to the <code>grub.cfg</code> file as the grub2-mkconfig command overwrites this file.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check if /boot/grub2/grub.cfg does not exist</span>Â <span class="label label-default">oval:ssg-test_grub2_password_file_boot_grub2_grub_cfg_absent:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/boot/grub2/grub.cfg</td><td>regular</td><td>0</td><td>0</td><td>6460</td><td><code>rw-r--r--Â </code></td></tr></tbody></table><h4><span class="label label-primary">make sure a password is defined in /boot/grub2/user.cfg</span>Â <span class="label label-default">oval:ssg-test_grub2_password_usercfg:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_grub2_password_usercfg:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/boot/grub2/user.cfg</td><td>^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">make sure a password is defined in /boot/grub2/grub.cfg</span>Â <span class="label label-default">oval:ssg-test_grub2_password_grubcfg:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_grub2_password_grubcfg:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/boot/grub2/grub.cfg</td><td>^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">superuser is defined in /boot/grub2/grub.cfg files.</span>Â <span class="label label-default">oval:ssg-test_bootloader_superuser:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/boot/grub2/grub.cfg</td><td> set superusers="root"</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notapplicable rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_uefi_password" id="rule-detail-idm45662294195872"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set the UEFI Boot Loader Passwordxccdf_org.ssgproject.content_rule_grub2_uefi_password highCCE-80829-5 </div><div class="panel-heading"><h3 class="panel-title">Set the UEFI Boot Loader Password</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_uefi_password</td></tr><tr><td>Result</td><td class="rule-result rule-result-notapplicable"><div><abbr title="The Rule was not applicable to the target of the test. For example, the Rule might have been specific to a different version of the target OS, or it might have been a test against a platform feature that was not installed.">notapplicable</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80829-5">CCE-80829-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R17)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.5.2</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000213</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000080-GPOS-00048</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010140</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230234r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> Since plaintext passwords are a security risk, generate a hash for the password by running the following command: <pre>$ grub2-setpassword</pre> When prompted, enter the password that was selected. <br><br> Once the superuser password has been added, update the <code>grub.cfg</code> file by running: <pre>grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. Also, do NOT manually add the superuser account and password to the <code>grub.cfg</code> file as the grub2-mkconfig command overwrites this file.</div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force" id="rule-detail-idm45662294233024"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->IOMMU configuration directivexccdf_org.ssgproject.content_rule_grub2_enable_iommu_force unknownCCE-83920-9 </div><div class="panel-heading"><h3 class="panel-title">IOMMU configuration directive</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-grub2_enable_iommu_force:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:35+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83920-9">CCE-83920-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R11)</a></p></td></tr><tr><td>Description</td><td><div class="description">On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical units such as the memory.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">On x86 architectures, activating the I/OMMU prevents the system from arbritrary accesses potentially made by hardware devices.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Depending on the hardware, devices and operating system used, enabling IOMMU can cause hardware instabilities. Proper function and stability should be assessed before applying remediation to production systems.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check forkernel command line parameters iommu=force in /boot/grub2/grubenv for all kernels</span>Â <span class="label label-default">oval:ssg-test_grub2_iommu_argument_grub_env:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/boot/grub2/grubenv</td><td>kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rd.lvm.lv=rhel/usr rhgb quiet iommu=force</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sebool_deny_execmem" id="rule-detail-idm45662293988928"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable the deny_execmem SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_deny_execmem mediumCCE-83307-9 </div><div class="panel-heading"><h3 class="panel-title">Enable the deny_execmem SELinux Boolean</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sebool_deny_execmem</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sebool_deny_execmem:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83307-9">CCE-83307-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R67)</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, the SELinux boolean <code>deny_execmem</code> is disabled. If this setting is disabled, it should be enabled. To disable the <code>deny_execmem</code> SELinux boolean, run the following command: <pre>$ sudo setsebool -P deny_execmem off</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Allowing user domain applications to map a memory region as both writable and executable makes them more susceptible to data execution attacks.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â This rule doesn't come with a remediation, as enabling this SELinux boolean can cause applications to malfunction, for example Graphical login managers and Firefox.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Proper function and stability should be assessed before applying enabling the SELinux boolean in production systems.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">deny_execmem is configured correctly</span>Â <span class="label label-default">oval:ssg-test_sebool_deny_execmem:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Current status</th><th>Pending status</th></tr></thead><tbody><tr><td>deny_execmem</td><td role="num">false</td><td role="num">false</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sebool_secure_mode_insmod" id="rule-detail-idm45662293692272"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable the secure_mode_insmod SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_secure_mode_insmod mediumCCE-83310-3 </div><div class="panel-heading"><h3 class="panel-title">Disable the secure_mode_insmod SELinux Boolean</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sebool_secure_mode_insmod</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sebool_secure_mode_insmod:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83310-3">CCE-83310-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R67)</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, the SELinux boolean <code>secure_mode_insmod</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>secure_mode_insmod</code> SELinux boolean, run the following command: <pre>$ sudo setsebool -P secure_mode_insmod off</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">secure_mode_insmod is configured correctly</span>Â <span class="label label-default">oval:ssg-test_sebool_secure_mode_insmod:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Current status</th><th>Pending status</th></tr></thead><tbody><tr><td>secure_mode_insmod</td><td role="num">true</td><td role="num">true</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap" id="rule-detail-idm45662293648208"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable the selinuxuser_execheap SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap mediumCCE-80949-1 </div><div class="panel-heading"><h3 class="panel-title">Disable the selinuxuser_execheap SELinux Boolean</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sebool_selinuxuser_execheap:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80949-1">CCE-80949-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R67)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, the SELinux boolean <code>selinuxuser_execheap</code> is disabled. When enabled this boolean is enabled it allows selinuxusers to execute code from the heap. If this setting is enabled, it should be disabled. To disable the <code>selinuxuser_execheap</code> SELinux boolean, run the following command: <pre>$ sudo setsebool -P selinuxuser_execheap off</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Disabling code execution from the heap blocks buffer overflow attacks.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">selinuxuser_execheap is configured correctly</span>Â <span class="label label-default">oval:ssg-test_sebool_selinuxuser_execheap:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Current status</th><th>Pending status</th></tr></thead><tbody><tr><td>selinuxuser_execheap</td><td role="num">false</td><td role="num">false</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sebool_polyinstantiation_enabled" id="rule-detail-idm45662293611760"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable the polyinstantiation_enabled SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_polyinstantiation_enabled mediumCCE-84230-2 </div><div class="panel-heading"><h3 class="panel-title">Disable the polyinstantiation_enabled SELinux Boolean</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sebool_polyinstantiation_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sebool_polyinstantiation_enabled:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84230-2">CCE-84230-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R39)</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, the SELinux boolean <code>polyinstantiation_enabled</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>polyinstantiation_enabled</code> SELinux boolean, run the following command: <pre>$ sudo setsebool -P polyinstantiation_enabled off</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">polyinstantiation_enabled is configured correctly</span>Â <span class="label label-default">oval:ssg-test_sebool_polyinstantiation_enabled:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Current status</th><th>Pending status</th></tr></thead><tbody><tr><td>polyinstantiation_enabled</td><td role="num">true</td><td role="num">true</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execstack" id="rule-detail-idm45662293604848"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->disable the selinuxuser_execstack SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_selinuxuser_execstack mediumCCE-80951-7 </div><div class="panel-heading"><h3 class="panel-title">disable the selinuxuser_execstack SELinux Boolean</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execstack</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sebool_selinuxuser_execstack:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80951-7">CCE-80951-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R67)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, the SELinux boolean <code>selinuxuser_execstack</code> is enabled. This setting should be disabled as unconfined executables should not be able to make their stack executable. To disable the <code>selinuxuser_execstack</code> SELinux boolean, run the following command: <pre>$ sudo setsebool -P selinuxuser_execstack off</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Disabling code execution from the stack blocks buffer overflow attacks.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">selinuxuser_execstack is configured correctly</span>Â <span class="label label-default">oval:ssg-test_sebool_selinuxuser_execstack:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Current status</th><th>Pending status</th></tr></thead><tbody><tr><td>selinuxuser_execstack</td><td role="num">false</td><td role="num">false</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sebool_ssh_sysadm_login" id="rule-detail-idm45662293536848"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable the ssh_sysadm_login SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_ssh_sysadm_login mediumCCE-83311-1 </div><div class="panel-heading"><h3 class="panel-title">Disable the ssh_sysadm_login SELinux Boolean</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sebool_ssh_sysadm_login</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sebool_ssh_sysadm_login:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83311-1">CCE-83311-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R67)</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, the SELinux boolean <code>ssh_sysadm_login</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>ssh_sysadm_login</code> SELinux boolean, run the following command: <pre>$ sudo setsebool -P ssh_sysadm_login off</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">ssh_sysadm_login is configured correctly</span>Â <span class="label label-default">oval:ssg-test_sebool_ssh_sysadm_login:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Current status</th><th>Pending status</th></tr></thead><tbody><tr><td>ssh_sysadm_login</td><td role="num">false</td><td role="num">false</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_setroubleshoot-plugins_removed" id="rule-detail-idm45662294161408"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall setroubleshoot-plugins Packagexccdf_org.ssgproject.content_rule_package_setroubleshoot-plugins_removed lowCCE-84250-0 </div><div class="panel-heading"><h3 class="panel-title">Uninstall setroubleshoot-plugins Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_setroubleshoot-plugins_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_setroubleshoot-plugins_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84250-0">CCE-84250-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R68)</a></p></td></tr><tr><td>Description</td><td><div class="description">The SETroubleshoot plugins are used to analyze SELinux AVC data. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The <code>setroubleshoot-plugins</code> package can be removed with the following command: <pre> $ sudo yum erase setroubleshoot-plugins</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The SETroubleshoot service is an unnecessary daemon to have running on a server.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package setroubleshoot-plugins is removed</span>Â <span class="label label-default">oval:ssg-test_package_setroubleshoot-plugins_removed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_setroubleshoot-plugins_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>setroubleshoot-plugins</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_setroubleshoot-server_removed" id="rule-detail-idm45662294157392"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall setroubleshoot-server Packagexccdf_org.ssgproject.content_rule_package_setroubleshoot-server_removed lowCCE-83490-3 </div><div class="panel-heading"><h3 class="panel-title">Uninstall setroubleshoot-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_setroubleshoot-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_setroubleshoot-server_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83490-3">CCE-83490-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R68)</a></p></td></tr><tr><td>Description</td><td><div class="description">The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The <code>setroubleshoot-server</code> package can be removed with the following command: <pre> $ sudo yum erase setroubleshoot-server</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The SETroubleshoot service is an unnecessary daemon to have running on a server.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package setroubleshoot-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_setroubleshoot-server_removed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_setroubleshoot-server_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>setroubleshoot-server</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed" id="rule-detail-idm45662294153392"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall setroubleshoot Packagexccdf_org.ssgproject.content_rule_package_setroubleshoot_removed lowCCE-82755-0 </div><div class="panel-heading"><h3 class="panel-title">Uninstall setroubleshoot Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_setroubleshoot_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82755-0">CCE-82755-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R68)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.7.1.6</a></p></td></tr><tr><td>Description</td><td><div class="description">The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The <code>setroubleshoot</code> package can be removed with the following command: <pre> $ sudo yum erase setroubleshoot</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is removed or disabled.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package setroubleshoot is removed</span>Â <span class="label label-default">oval:ssg-test_package_setroubleshoot_removed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_setroubleshoot_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>setroubleshoot</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_policytype" id="rule-detail-idm45662294149392"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype mediumCCE-80868-3 </div><div class="panel-heading"><h3 class="panel-title">Configure SELinux Policy</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_policytype</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-selinux_policytype:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80868-3">CCE-80868-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R66)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.7.1.3</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002165</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002696</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010450</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230282r627750_rule</a>, <a href="">SRG-OS-000445-VMM-001780</a></p></td></tr><tr><td>Description</td><td><div class="description">The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in <code>/etc/selinux/config</code>: <pre>SELINUXTYPE=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_policy_name">targeted</abbr></pre> Other policies, such as <code>mls</code>, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Setting the SELinux policy to <code>targeted</code> or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. <br><br> Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in <code>permissive</code> mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_policy_name">targeted</abbr></code>.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file</span>Â <span class="label label-default">oval:ssg-test_selinux_policy:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/selinux/config</td><td>SELINUXTYPE=targeted </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_state" id="rule-detail-idm45662294132368"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state mediumCCE-80869-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure SELinux State is Enforcing</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_state</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-selinux_state:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80869-1">CCE-80869-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R4)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R66)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.7.1.4</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002165</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002696</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010170</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230240r627750_rule</a>, <a href="">SRG-OS-000445-VMM-001780</a></p></td></tr><tr><td>Description</td><td><div class="description">The SELinux state should be set to <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_state">enforcing</abbr></code> at system boot time. In the file <code>/etc/selinux/config</code>, add or correct the following line to configure the system to boot into enforcing mode: <pre>SELINUX=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_state">enforcing</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/selinux/enforce is 1</span>Â <span class="label label-default">oval:ssg-test_etc_selinux_config:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/selinux/config</td><td>SELINUX=enforcing</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias" id="rule-detail-idm45662293434656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure System to Forward All Mail For The Root Accountxccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias lowCCE-82381-5 </div><div class="panel-heading"><h3 class="panel-title">Configure System to Forward All Mail For The Root Account</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-postfix_client_configure_mail_alias:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82381-5">CCE-82381-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R49)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000139</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000046-GPOS-00022</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-030030</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230389r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_postfix_root_mail_alias">system.administrator@mail.mil</abbr> is a valid email address reachable from the system in question. Use the following command to configure the alias: <pre>$ sudo echo "root: <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_postfix_root_mail_alias">system.administrator@mail.mil</abbr>" >> /etc/aliases $ sudo newaliases</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check if root has the correct mail alias.</span>Â <span class="label label-default">oval:ssg-test_postfix_client_configure_mail_alias:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/aliases</td><td>root: system.administrator@mail.mil</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled" id="rule-detail-idm45662293429808"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Postfix Network Listeningxccdf_org.ssgproject.content_rule_postfix_network_listening_disabled mediumCCE-82174-4 </div><div class="panel-heading"><h3 class="panel-title">Disable Postfix Network Listening</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-postfix_network_listening_disabled:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82174-4">CCE-82174-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R48)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.2.18</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000382</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a></p></td></tr><tr><td>Description</td><td><div class="description">Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following <code>inet_interfaces</code> line appears: <pre>inet_interfaces = <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_postfix_inet_interfaces">loopback-only</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">This ensures <code>postfix</code> accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package postfix is installed</span>Â <span class="label label-default">oval:ssg-test_service_postfix_package_postfix_installed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_postfix_package_postfix_installed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>postfix</td></tr></tbody></table><h4><span class="label label-primary">Test that the postfix service is running</span>Â <span class="label label-default">oval:ssg-test_service_running_postfix:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of postfix">oval:ssg-obj_service_running_postfix:obj:1</abbr></strong> of type <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^postfix\.(socket|service)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â <span class="label label-default">oval:ssg-test_multi_user_wants_postfix:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var-tmp.mount</td><td>var.mount</td><td>sysinit.target</td><td>plymouth-read-write.service</td><td>lvm2-monitor.service</td><td>cryptsetup.target</td><td>systemd-hwdb-update.service</td><td>sys-kernel-debug.mount</td><td>local-fs.target</td><td>-.mount</td><td>srv.mount</td><td>opt.mount</td><td>home.mount</td><td>var-log.mount</td><td>tmp.mount</td><td>var-log-audit.mount</td><td>usr.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>ostree-remount.service</td><td>lvm2-lvmpolld.socket</td><td>systemd-journal-flush.service</td><td>nis-domainname.service</td><td>iscsi-onboot.service</td><td>ldconfig.service</td><td>systemd-udevd.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-utmp.service</td><td>systemd-random-seed.service</td><td>plymouth-start.service</td><td>dev-mqueue.mount</td><td>systemd-tmpfiles-setup.service</td><td>systemd-update-done.service</td><td>systemd-sysctl.service</td><td>systemd-modules-load.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-binfmt.service</td><td>selinux-autorelabel-mark.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>dev-hugepages.mount</td><td>systemd-udev-trigger.service</td><td>systemd-machine-id-commit.service</td><td>systemd-sysusers.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>sys-kernel-config.mount</td><td>loadmodules.service</td><td>swap.target</td><td>dev-mapper-rhel\x2dswap.swap</td><td>kmod-static-nodes.service</td><td>multipathd.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-journald.service</td><td>dracut-shutdown.service</td><td>paths.target</td><td>timers.target</td><td>dnf-makecache.timer</td><td>dnf-automatic.timer</td><td>mlocate-updatedb.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-journald.socket</td><td>avahi-daemon.socket</td><td>systemd-journald-dev-log.socket</td><td>dm-event.socket</td><td>libvirtd-ro.socket</td><td>dbus.socket</td><td>libvirtd.socket</td><td>virtlogd.socket</td><td>virtlockd.socket</td><td>systemd-coredump.socket</td><td>iscsiuio.socket</td><td>systemd-udevd-kernel.socket</td><td>multipathd.socket</td><td>systemd-initctl.socket</td><td>iscsid.socket</td><td>cups.socket</td><td>systemd-udevd-control.socket</td><td>rpcbind.socket</td><td>sssd-kcm.socket</td><td>microcode.service</td><td>mdmonitor.service</td><td>smartd.service</td><td>sssd.service</td><td>plymouth-quit-wait.service</td><td>auditd.service</td><td>nfs-client.target</td><td>auth-rpcgss-module.service</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>getty@tty1.service</td><td>vdo.service</td><td>plymouth-quit.service</td><td>mcelog.service</td><td>systemd-ask-password-wall.path</td><td>ksm.service</td><td>tuned.service</td><td>rpcbind.service</td><td>rsyslog.service</td><td>ModemManager.service</td><td>chronyd.service</td><td>systemd-logind.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>NetworkManager.service</td><td>libstoragemgmt.service</td><td>vmtoolsd.service</td><td>sshd.service</td><td>ksmtuned.service</td><td>firewalld.service</td><td>irqbalance.service</td><td>cups.service</td><td>systemd-user-sessions.service</td><td>rhsmcertd.service</td><td>avahi-daemon.service</td><td>dbus.service</td><td>kdump.service</td><td>libvirtd.service</td><td>cups.path</td><td>remote-fs.target</td><td>iscsi.service</td><td>var-lib-machines.mount</td><td>atd.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â <span class="label label-default">oval:ssg-test_multi_user_wants_postfix_socket:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var-tmp.mount</td><td>var.mount</td><td>sysinit.target</td><td>plymouth-read-write.service</td><td>lvm2-monitor.service</td><td>cryptsetup.target</td><td>systemd-hwdb-update.service</td><td>sys-kernel-debug.mount</td><td>local-fs.target</td><td>-.mount</td><td>srv.mount</td><td>opt.mount</td><td>home.mount</td><td>var-log.mount</td><td>tmp.mount</td><td>var-log-audit.mount</td><td>usr.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>ostree-remount.service</td><td>lvm2-lvmpolld.socket</td><td>systemd-journal-flush.service</td><td>nis-domainname.service</td><td>iscsi-onboot.service</td><td>ldconfig.service</td><td>systemd-udevd.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-utmp.service</td><td>systemd-random-seed.service</td><td>plymouth-start.service</td><td>dev-mqueue.mount</td><td>systemd-tmpfiles-setup.service</td><td>systemd-update-done.service</td><td>systemd-sysctl.service</td><td>systemd-modules-load.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-binfmt.service</td><td>selinux-autorelabel-mark.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>dev-hugepages.mount</td><td>systemd-udev-trigger.service</td><td>systemd-machine-id-commit.service</td><td>systemd-sysusers.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>sys-kernel-config.mount</td><td>loadmodules.service</td><td>swap.target</td><td>dev-mapper-rhel\x2dswap.swap</td><td>kmod-static-nodes.service</td><td>multipathd.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-journald.service</td><td>dracut-shutdown.service</td><td>paths.target</td><td>timers.target</td><td>dnf-makecache.timer</td><td>dnf-automatic.timer</td><td>mlocate-updatedb.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-journald.socket</td><td>avahi-daemon.socket</td><td>systemd-journald-dev-log.socket</td><td>dm-event.socket</td><td>libvirtd-ro.socket</td><td>dbus.socket</td><td>libvirtd.socket</td><td>virtlogd.socket</td><td>virtlockd.socket</td><td>systemd-coredump.socket</td><td>iscsiuio.socket</td><td>systemd-udevd-kernel.socket</td><td>multipathd.socket</td><td>systemd-initctl.socket</td><td>iscsid.socket</td><td>cups.socket</td><td>systemd-udevd-control.socket</td><td>rpcbind.socket</td><td>sssd-kcm.socket</td><td>microcode.service</td><td>mdmonitor.service</td><td>smartd.service</td><td>sssd.service</td><td>plymouth-quit-wait.service</td><td>auditd.service</td><td>nfs-client.target</td><td>auth-rpcgss-module.service</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>getty@tty1.service</td><td>vdo.service</td><td>plymouth-quit.service</td><td>mcelog.service</td><td>systemd-ask-password-wall.path</td><td>ksm.service</td><td>tuned.service</td><td>rpcbind.service</td><td>rsyslog.service</td><td>ModemManager.service</td><td>chronyd.service</td><td>systemd-logind.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>NetworkManager.service</td><td>libstoragemgmt.service</td><td>vmtoolsd.service</td><td>sshd.service</td><td>ksmtuned.service</td><td>firewalld.service</td><td>irqbalance.service</td><td>cups.service</td><td>systemd-user-sessions.service</td><td>rhsmcertd.service</td><td>avahi-daemon.service</td><td>dbus.service</td><td>kdump.service</td><td>libvirtd.service</td><td>cups.path</td><td>remote-fs.target</td><td>iscsi.service</td><td>var-lib-machines.mount</td><td>atd.service</td></tr></tbody></table><h4><span class="label label-primary">inet_interfaces in /etc/postfix/main.cf should be set correctly</span>Â <span class="label label-default">oval:ssg-test_postfix_network_listening_disabled:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="inet_interfaces in /etc/postfix/main.cf should be set correctly">oval:ssg-obj_postfix_network_listening_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/postfix/main.cf</td><td>^[\s]*inet_interfaces[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_sendmail_removed" id="rule-detail-idm45662293442768"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall Sendmail Packagexccdf_org.ssgproject.content_rule_package_sendmail_removed mediumCCE-81039-0 </div><div class="panel-heading"><h3 class="panel-title">Uninstall Sendmail Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_sendmail_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_sendmail_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81039-0">CCE-81039-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000381</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040002</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230489r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">Sendmail is not the default mail transfer agent and is not installed by default. The <code>sendmail</code> package can be removed with the following command: <pre> $ sudo yum erase sendmail</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package sendmail is removed</span>Â <span class="label label-default">oval:ssg-test_package_sendmail_removed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_sendmail_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>sendmail</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_root_login" id="rule-detail-idm45662293182000"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable SSH Root Loginxccdf_org.ssgproject.content_rule_sshd_disable_root_login mediumCCE-80901-2 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Root Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_root_login</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_root_login:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80901-2">CCE-80901-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R19)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R21)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.10</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000770</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000109-GPOS-00056</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010550</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230296r627750_rule</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description">The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>PermitRootLogin no</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>9.el8</td><td>8.0p1</td><td>0:8.0p1-9.el8</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-9.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>9.el8</td><td>8.0p1</td><td>0:8.0p1-9.el8</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-9.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config file</span>Â <span class="label label-default">oval:ssg-test_sshd_disable_root_login:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>PermitRootLogin no</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" id="rule-detail-idm45662293153536"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set SSH Idle Timeout Intervalxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout mediumCCE-80906-1 </div><div class="panel-heading"><h3 class="panel-title">Set SSH Idle Timeout Interval</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_set_idle_timeout:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80906-1">CCE-80906-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R29)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.13</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002361</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.5</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000126-GPOS-00066</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000163-GPOS-00072</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000279-GPOS-00109</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000395-GPOS-00175</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010200</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230244r627750_rule</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description">SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. <br><br> To set an idle timeout interval, edit the following line in <code>/etc/ssh/sshd_config</code> as follows: <pre>ClientAliveInterval <b><abbr title="from TestResult: xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">600</abbr></b></pre> <br><br> The timeout <b>interval</b> is given in seconds. For example, have a timeout of 10 minutes, set <b>interval</b> to 600. <br><br> If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in <code>/etc/ssh/sshd_config</code>. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â SSH disconnecting idle clients will not have desired effect without also configuring ClientAliveCountMax in the SSH service configuration.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Following conditions may prevent the SSH session to time out: <ul><li>Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.</li><li>Any <code>scp</code> or <code>sftp</code> activity by the same user to the host resets the timeout.</li></ul></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>9.el8</td><td>8.0p1</td><td>0:8.0p1-9.el8</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-9.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>9.el8</td><td>8.0p1</td><td>0:8.0p1-9.el8</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-9.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">timeout is configured</span>Â <span class="label label-default">oval:ssg-test_sshd_idle_timeout:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>ClientAliveInterval 600</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>9.el8</td><td>8.0p1</td><td>0:8.0p1-9.el8</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-9.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>9.el8</td><td>8.0p1</td><td>0:8.0p1-9.el8</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-9.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file</span>Â <span class="label label-default">oval:ssg-test_sshd_clientalivecountmax:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>ClientAliveCountMax 0 </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive" id="rule-detail-idm45662293114672"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set SSH Client Alive Count Maxxccdf_org.ssgproject.content_rule_sshd_set_keepalive mediumCCE-80907-9 </div><div class="panel-heading"><h3 class="panel-title">Set SSH Client Alive Count Max</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_set_keepalive</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_set_keepalive:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80907-9">CCE-80907-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R29)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.13</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002361</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.5</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000163-GPOS-00072</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000279-GPOS-00109</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description">The SSH server sends at most <code>ClientAliveCountMax</code> messages during a SSH session and waits for a response from the SSH client. The option <code>ClientAliveInterval</code> configures timeout after each <code>ClientAliveCountMax</code> message. If the SSH server does not receive a response from the client, then the connection is considered idle and terminated. For SSH earlier than v8.2, a <code>ClientAliveCountMax</code> value of <code>0</code> causes an idle timeout precisely when the <code>ClientAliveInterval</code> is set. Starting with v8.2, a value of <code>0</code> disables the timeout functionality completely. If the option is set to a number greater than <code>0</code>, then the idle session will be disconnected after <code>ClientAliveInterval * ClientAliveCountMax</code> seconds.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">This ensures a user login will be terminated as soon as the <code>ClientAliveInterval</code> is reached.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>9.el8</td><td>8.0p1</td><td>0:8.0p1-9.el8</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-9.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>9.el8</td><td>8.0p1</td><td>0:8.0p1-9.el8</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-9.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file</span>Â <span class="label label-default">oval:ssg-test_sshd_clientalivecountmax:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>ClientAliveCountMax 0 </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" id="rule-detail-idm45662293233344"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Permissions on SSH Server Private *_key Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key mediumCCE-82424-3 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on SSH Server Private *_key Key Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_sshd_private_key:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82424-3">CCE-82424-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.3</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-010490</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230287r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"> To properly set the permissions of <code>/etc/ssh/*_key</code>, run the command: <pre>$ sudo chmod 0640 /etc/ssh/*_key</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Testing mode of /etc/ssh/</span>Â <span class="label label-default">oval:ssg-test_file_permissions_sshd_private_key:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/etc/ssh/">oval:ssg-object_file_permissions_sshd_private_key:obj:1</abbr></strong> of type <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Filter</th></tr></thead><tbody><tr><td>/etc/ssh/</td><td>^.*_key$</td><td>oval:ssg-state_file_permissions_sshd_private_key_mode_not_0640:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_chrony_installed" id="rule-detail-idm45662292904944"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->The Chrony package is installedxccdf_org.ssgproject.content_rule_package_chrony_installed mediumCCE-82874-9 </div><div class="panel-heading"><h3 class="panel-title">The Chrony package is installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_chrony_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_chrony_installed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82874-9">CCE-82874-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.2.1.1</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000355-GPOS-00143</a></p></td></tr><tr><td>Description</td><td><div class="description">System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. The <code>chrony</code> package can be installed with the following command: <pre> $ sudo yum install chrony</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package chrony is installed</span>Â <span class="label label-default">oval:ssg-test_package_chrony_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>chrony</td><td>x86_64</td><td>(none)</td><td>2.el8</td><td>3.5</td><td>0:3.5-2.el8</td><td>199e2f91fd431d51</td><td>chrony-0:3.5-2.el8.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server" id="rule-detail-idm45662292879888"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->A remote time server for Chrony is configuredxccdf_org.ssgproject.content_rule_chronyd_specify_remote_server mediumCCE-82873-1 </div><div class="panel-heading"><h3 class="panel-title">A remote time server for Chrony is configured</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-chronyd_specify_remote_server:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82873-1">CCE-82873-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.2.1.2</a>, <a href="">0988</a>, <a href="">1405</a></p></td></tr><tr><td>Description</td><td><div class="description"><code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on <code>chrony</code> can be found at <a href="http://chrony.tuxfamily.org/">http://chrony.tuxfamily.org/</a>. <code>Chrony</code> can be configured to be a client and/or a server. Add or edit server or pool lines to <code>/etc/chrony.conf</code> as appropriate: <pre>server <remote-server></pre> Multiple servers may be configured.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If <code>chrony</code> is in use on the system proper configuration is vital to ensuring time synchronization is working properly.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Ensure at least one NTP server is set</span>Â <span class="label label-default">oval:ssg-test_chronyd_remote_server:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/chrony.conf</td><td>pool 2.rhel.pool.ntp.org iburst</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed" id="rule-detail-idm45662292836352"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall rsh-server Packagexccdf_org.ssgproject.content_rule_package_rsh-server_removed highCCE-82184-3 </div><div class="panel-heading"><h3 class="panel-title">Uninstall rsh-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsh-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_rsh-server_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82184-3">CCE-82184-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000381</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040010</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230492r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>rsh-server</code> package can be removed with the following command: <pre> $ sudo yum erase rsh-server</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>rsh-server</code> service provides unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The <code>rsh-server</code> package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsh-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_rsh-server_removed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_rsh-server_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>rsh-server</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsh_removed" id="rule-detail-idm45662292832352"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall rsh Packagexccdf_org.ssgproject.content_rule_package_rsh_removed unknownCCE-82183-5 </div><div class="panel-heading"><h3 class="panel-title">Uninstall rsh Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsh_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_rsh_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82183-5">CCE-82183-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>rsh</code> package contains the client commands for the rsh services</div></td></tr><tr><td>Rationale</td><td><div class="rationale">These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the <code>rsh</code> package removes the clients for <code>rsh</code>,<code>rcp</code>, and <code>rlogin</code>.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsh is removed</span>Â <span class="label label-default">oval:ssg-test_package_rsh_removed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_rsh_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>rsh</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_ypbind_removed" id="rule-detail-idm45662292812208"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Remove NIS Clientxccdf_org.ssgproject.content_rule_package_ypbind_removed unknownCCE-82181-9 </div><div class="panel-heading"><h3 class="panel-title">Remove NIS Client</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_ypbind_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_ypbind_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82181-9">CCE-82181-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.3.1</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a></p></td></tr><tr><td>Description</td><td><div class="description">The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (<code>ypbind</code>) was used to bind a system to an NIS server and receive the distributed configuration files.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package ypbind is removed</span>Â <span class="label label-default">oval:ssg-test_package_ypbind_removed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_ypbind_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>ypbind</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_ypserv_removed" id="rule-detail-idm45662292808224"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall ypserv Packagexccdf_org.ssgproject.content_rule_package_ypserv_removed highCCE-82432-6 </div><div class="panel-heading"><h3 class="panel-title">Uninstall ypserv Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_ypserv_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_ypserv_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82432-6">CCE-82432-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.2.17</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000381</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>ypserv</code> package can be removed with the following command: <pre> $ sudo yum erase ypserv</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session. Removing the <code>ypserv</code> package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package ypserv is removed</span>Â <span class="label label-default">oval:ssg-test_package_ypserv_removed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_ypserv_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>ypserv</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed" id="rule-detail-idm45662292801536"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall telnet-server Packagexccdf_org.ssgproject.content_rule_package_telnet-server_removed highCCE-82182-7 </div><div class="panel-heading"><h3 class="panel-title">Uninstall telnet-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_telnet-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_telnet-server_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82182-7">CCE-82182-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000381</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040000</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230487r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>telnet-server</code> package can be removed with the following command: <pre> $ sudo yum erase telnet-server</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain unsecure. They increase the risk to the platform by providing additional attack vectors. <br> The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised. <br> Removing the <code>telnet-server</code> package decreases the risk of the telnet service's accidental (or intentional) activation.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package telnet-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_telnet-server_removed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_telnet-server_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>telnet-server</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_telnet_removed" id="rule-detail-idm45662292797536"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Remove telnet Clientsxccdf_org.ssgproject.content_rule_package_telnet_removed lowCCE-80849-3 </div><div class="panel-heading"><h3 class="panel-title">Remove telnet Clients</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_telnet_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_telnet_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80849-3">CCE-80849-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.3.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></td></tr><tr><td>Description</td><td><div class="description">The telnet client allows users to start connections to other systems via the telnet protocol.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>telnet</code> protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The <code>ssh</code> package provides an encrypted session and stronger security and is included in Red Hat Enterprise Linux 8.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package telnet is removed</span>Â <span class="label label-default">oval:ssg-test_package_telnet_removed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_telnet_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>telnet</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_xinetd_removed" id="rule-detail-idm45662292790848"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall xinetd Packagexccdf_org.ssgproject.content_rule_package_xinetd_removed lowCCE-80850-1 </div><div class="panel-heading"><h3 class="panel-title">Uninstall xinetd Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_xinetd_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_xinetd_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80850-1">CCE-80850-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.1.1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000305</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>xinetd</code> package can be removed with the following command: <pre> $ sudo yum erase xinetd</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Removing the <code>xinetd</code> package decreases the risk of the xinetd service's accidental (or intentional) activation.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package xinetd is removed</span>Â <span class="label label-default">oval:ssg-test_package_xinetd_removed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_xinetd_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>xinetd</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_talk-server_removed" id="rule-detail-idm45662292784160"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall talk-server Packagexccdf_org.ssgproject.content_rule_package_talk-server_removed mediumCCE-82180-1 </div><div class="panel-heading"><h3 class="panel-title">Uninstall talk-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_talk-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_talk-server_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82180-1">CCE-82180-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>talk-server</code> package can be removed with the following command: <pre> $ sudo yum erase talk-server</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the <code>talk-server</code> package decreases the risk of the accidental (or intentional) activation of talk services.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package talk-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_talk-server_removed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_talk-server_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>talk-server</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_talk_removed" id="rule-detail-idm45662292780160"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall talk Packagexccdf_org.ssgproject.content_rule_package_talk_removed mediumCCE-80848-5 </div><div class="panel-heading"><h3 class="panel-title">Uninstall talk Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_talk_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_talk_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80848-5">CCE-80848-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>talk</code> package contains the client program for the Internet talk protocol, which allows the user to chat with other users on different systems. Talk is a communication program which copies lines from one terminal to the terminal of another user. The <code>talk</code> package can be removed with the following command: <pre> $ sudo yum erase talk</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the <code>talk</code> package decreases the risk of the accidental (or intentional) activation of talk client program.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package talk is removed</span>Â <span class="label label-default">oval:ssg-test_package_talk_removed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_talk_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>talk</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_tftp-server_removed" id="rule-detail-idm45662292776192"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall tftp-server Packagexccdf_org.ssgproject.content_rule_package_tftp-server_removed highCCE-82436-7 </div><div class="panel-heading"><h3 class="panel-title">Uninstall tftp-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_tftp-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_tftp-server_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82436-7">CCE-82436-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000318</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000368</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001812</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001813</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-040190</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-230533r627750_rule</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>tftp-server</code> package can be removed with the following command: <pre> $ sudo yum erase tftp-server</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Removing the <code>tftp-server</code> package decreases the risk of the accidental (or intentional) activation of tftp services. <br><br> If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package tftp-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_tftp-server_removed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_tftp-server_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>tftp-server</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_tftp_removed" id="rule-detail-idm45662292772192"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Remove tftp Daemonxccdf_org.ssgproject.content_rule_package_tftp_removed lowCCE-83590-0 </div><div class="panel-heading"><h3 class="panel-title">Remove tftp Daemon</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_tftp_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_tftp_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83590-0">CCE-83590-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a></p></td></tr><tr><td>Description</td><td><div class="description">Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between systems. TFTP does not support authentication and can be easily hacked. The package <code>tftp</code> is a client program that allows for connections to a <code>tftp</code> server.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server). In that case, use extreme caution when configuring the services.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package tftp is removed</span>Â <span class="label label-default">oval:ssg-test_package_tftp_removed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_tftp_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>tftp</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed" id="rule-detail-idm45662292762832"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall DHCP Server Packagexccdf_org.ssgproject.content_rule_package_dhcp_removed mediumCCE-83385-5 </div><div class="panel-heading"><h3 class="panel-title">Uninstall DHCP Server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_dhcp_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_dhcp_removed:def:1</td></tr><tr><td>Time</td><td>2021-06-18T12:05:36+01:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83385-5">CCE-83385-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a></p></td></tr><tr><td>Description</td><td><div class="description">If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The <code>dhcp</code> package can be removed with the following command: <pre> $ sudo yum erase dhcp</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package dhcp-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_dhcp-server_removed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_dhcp-server_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>dhcp-server</td></tr></tbody></table></div></div></div></div></div><a href="#result-details" class="btn btn-info noprint">Scroll back to the first rule</a></div><div id="rear-matter"><div class="row top-spacer-10"><div class="col-md-12 well well-lg"><div class="rear-matter">Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies. </div></div></div></div></div></div><footer id="footer"><div class="container"><p class="muted credit"> Generated using <a href="http://open-scap.org">OpenSCAP</a> 1.3.5</p></div></footer></body></html>
View Attachment As Raw
Actions:
View
Attachments on
bug 1955183
:
1792032
| 1792033